REPORT ON THE RECOMMENDATIONS
OF LEADING STANDARDS ON
DIGITAL SECURITY POLICIES FOR
REGULATORY PURPOSES
REPORT 1 OF SECURING THE PHILIPPINES’
DIGITAL PAYMENTS SYSTEM
Prepared for the United States Agency for International Development by Chemonics International
Inc. under “E-PESO” Contract No. AID-492-C-15-0001. The author’s views expressed in this
publication do not necessarily reflect the views of the United States Agency for International
Development or the United States Government
Implemented by:
Chemonics International Inc.
1717 H Street NW
Washington, DC 20006
Phone: +1 202-995-3300
Fax: +1 202-995-3400
www.chemonics.com
CONTENTS
INTRODUCTION 1
DIGITAL SECURITY STANDARDS 2
ISO / IEC 27001 - INFORMATION SECURITY MANAGEMENT SYSTEM 2
BACKGROUND OF THE STANDARD 2
REASON FOR SELECTION 4
PAYMENT CARD INDUSTRY DATA SECURITY STANDARD 5
BACKGROUND OF THE STANDARD 5
REASON FOR SELECTION 6
GUIDANCE ON CYBER RESILIENCE FOR FINANCIAL MARKET INFRASTRUCTURES BY
COMMITTEE ON PAYMENTS AND MARKET INFRASTRUCTURES 8
BACKGROUND OF THE STANDARD 8
REASON FOR SELECTION 16
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY FRAMEWORK FOR
IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY 17
BACKGROUND OF THE STANDARD 17
REASON FOR SELECTION 18
CONCLUSION 19
REFERENCES / SOURCES 20
1 | RECOMMENDATIONS OF LEADING STANDARDS ON DIGITAL SECURITY POLICIES
INTRODUCTION
This report highlights the leading standards on digital security policies that will aid in reducing the
risks electronic or digital payments usage in the financial market of the Philippines. Essentially, the
report recommends the following standards for consideration when formulating or updating
regulatory policies that seek to improve the security posture of participants in a digital payments
ecosystem.
The report recommends the following standards and details the justification of each
• ISO / IEC 27001 - Information Security Management System (referred to in this report as
ISO 27001)
• Guidance on cyber resilience for financial market infrastructures by Committee on Payments
and Market Infrastructures, Board of the International Organization of Securities
Commissions (referred to in this report as CRF-CPMI)
• National Institute of Standards and Technology Framework for Improving Critical
Infrastructure Cybersecurity (referred to in this report as NIST-CSF)
• Payment Card Industry Data Security Standard (referred to in this report as PCI DSS)
The authors of the report are aware of other digital security standards, frameworks and guidance
available, but the security controls that are asked on those standards are similar to the standards
mentioned above. The order of which the standards are presented does not signify importance or
priority of adoption.
The report does not include policies, processes and procedure related to the treatment of the
cryptocurrency that is observed to bring new waves of disruptive behavior into the marketplace.
RECOMMENDATIONS OF LEADING STANDARDS ON DIGITAL SECURITY POLICIES | 2
DIGITAL SECURITY STANDARDS
ISO / IEC 27001 - INFORMATION SECURITY MANAGEMENT SYSTEM
BACKGROUND OF THE STANDARD
The Standard that is established for Information Security Management System (ISO/IEC 27001) takes
a holistic approach. It is viewed according to the organization’s information risks using suitable set of
controls that include policies, processes, and procedures of the organization’s structure. The internal
and external processes that use hardware and software functions are also examined accordingly. The
ISO/IEC 27001 International Standard aids the organization to implement a comprehensive suite of
information security controls under the overall framework of a coherent management systems
(ISO/IEC 27002, 2013 Edition) which becomes the blueprint of the organization.
As a business enabler, an effective Information Security Management System (ISMS) assures the
management and its stakeholders that the organization’s assets are reasonably safe1 and protected
against harm (ISO/IEC 27002, 2013 Edition). Any changes that takes place in an organization such as
business processes and systems or other external changes, new laws or regulations, create new
information security risks. A successfully implemented information security management system
helps reduce risks by protecting the organization against threats and vulnerabilities and in doing so,
minimizing also the impact of these risks to its assets.
The latest version of the Standard’s normative requirements to establish ISMS have 114 security
controls (Annex A, ISO/IEC 27001, 2013 Edition) and covers 14 domains as indicated below:
1. Information Security Policies (A.5)
2. Organization of Information Security (A.6)
3. Human Resource Security (A.7)
4. Asset Management (A.8)
5. Asset Control (A.9)
6. Cryptography (A.10)
7. Physical and Environmental Security (A.11)
8. Operations Security (A.12)
9. Communications Security (A.13)
10. System Acquisition, Development and Maintenance (A.14)
11. Supplier Relationship (A.15)
12. Information Security Incident Management (A.16)
13. Information Security Aspects of Business Continuity Management (A.17)
14. Compliance (A.18)
In the 2017 report of the worldwide ISO Survey of Certifications conducted annually by the
International Organization for Standardization (ISO) stated that the number of organizations
certified to ISO 27001 posted at 33,290 for year 2016 from 27,536 in 2015. The survey covers only
1 The author italicized the word “reasonably” to give emphasis that constant vigilance plays a significant role to
ensure that the information asset of the organization is protected and secured on top of maintaining the
effectiveness, currency and relevance of its Information Security Management System.
3 | RECOMMENDATIONS OF LEADING STANDARDS ON DIGITAL SECURITY POLICIES
the number of valid certificates as of 31 December 2016 and this information was provided by
certification bodies* since ISO does not perform certification. According to the report, ISO and
IEC’s standard for information security, experienced the same growth of 21% annual increase
worldwide (The ISO Survey of Management System Standard Certifications 2016, September 2017). Table
1 below illustrates the comprehensive overview of certifications to the standards currently available
during the survey:
Table 1 - Summary of ISO Survey of Management System Standard Certifications 2016
Standard
Number of
Certificates in
2016
Number of
Certificates in
2015
Change Change
in %
ISO 9001** 1,106,356 1,034180 72,176 +7
ISO 14001*** 346,189 319,496 26,693 +8
ISO 50001 20,216 11,985 8,231 +69
ISO 27001 33,290 27,536 5,754 +21
ISO 22000 32,139 32,061 78 0
ISO/TS 16949 67,358 62,944 4,414 +7
ISO 13485 29,585 26,255 3,330 +13
ISO 22301 3,853 3,133 720 +23
ISO 20000-1 4,537 2,778 1,759 +63
ISO 28000 356
ISO 39001 478
TOTAL 1,644,357 1,520,368 +8
*Accredited certification bodies are those that have been independently evaluated by accreditation members of the IAF, the world association of conformity assessment accreditation bodies.
**ISO 9001:2008 (=1,025,761) + ISO 9001:2015 (=80,596) ***ISO 14001:2004 (=323,023) + ISO 14001:2015 (=23,165)
RECOMMENDATIONS OF LEADING STANDARDS ON DIGITAL SECURITY POLICIES | 4
This steady growth despite the fluctuations of the number of participating certification bodies year
to year and the number of certificates reported indicates that there is now an increased maturity on
awareness and appreciation in the importance of an effective information security management
system.
REASON FOR SELECTION
In the Philippines, the Bureau of Philippine Standards (BPS) has adopted the use of the International
Standards on ISO/IEC 27001 as a National Standard. This Standard which uses the PDCA (Plan-Do-
Check-Act) Model forces the organization to establish, implement, monitor and review continuously
the security controls that have been put in place.
The Data Privacy Act of 2012 (R.A. 10173) amplifies further the need of every and all organization
that will be affected in the enforcement of the provisions under the law to consider the adoption of
ISO/IEC 27001 into their information security management system. The Standard is an enabling
mechanism that will help the organization to adhere to the requirements of the law. On the same
note, the Government being cognizant to the significance of the Standard in protecting information
asset has adopted this into its cybersecurity strategic plan (The National Cybersecurity Plan 2022).
Following the rollout of the NCSP 2022, which started at the beginning of 2017 by the Department
of Information and Communications Technology (DICT) under its Cybersecurity Bureau, three
memorandum circulars have been formulated and published related to the implementation of NCSP
2022. One of the MCs, the Memorandum Circular No. 005 on prescribing the policies, rules and
regulations on the protection of Critical Infostructure (CII), have four salient features, to wit:
a) Section IV, A, adoption of PNS ISO/IEC 27000 Family of Standards and other relevant
International Standards for Mandatory Compliance;
b) Section IV, B, conduct of Annual Risk and Vulnerability Assessment (based on ISO/IEC 27001
and ISO/IEC 31000);
c) Section IV, C, conduct of Security Assessment; and
d) Section IV, D, creation of the Computer Emergency Response Team
Selecting and adopting ISO/IEC 27001 as one of the standards can pave the way for ease of
implementation significantly since the Banking and Finance Sector have been identified as one of the
12 priority sectors classified as Critical Information Infrastructure (CII) of the country. In the
protection of CII of the NCSP Implementation Plan, risk management approach and strategies are
among the core activities of the National Government. Although the management approach of
ISO/IEC 27001 has its limitations versus other more extensive Risk Management Framework, it still
provides a good baseline for the financial institutions (FIs) and financial market infrastructures (FMIs)
that are constantly exposed to varying degrees of risks. This Standard works in complementary with
other standards identified by the authors.
5 | RECOMMENDATIONS OF LEADING STANDARDS ON DIGITAL SECURITY POLICIES
PAYMENT CARD INDUSTRY DATA SECURITY STANDARD
BACKGROUND OF THE STANDARD
PCI Security Standards are technical and operational requirements set by the PCI Security Standards
Council (PCI SSC) to protect cardholder data. The standards apply to all entities that store, process
or transmit cardholder data – with requirements for software developers and manufacturers of
applications and devices used in those transactions. The Council is responsible for managing the
security standards, while compliance with the PCI set of standards is enforced by the founding
members of the Council: American Express, Discover Financial Services, JCB, MasterCard and Visa
Inc. Normally recognized by their card brands of AMEX, Discovery, JCB, MasterCard and VISA
respectively.
PCI Data Security Standard (PCI DSS)
The PCI DSS applies to all entities that store, process, and/or transmit cardholder data. It covers
technical and operational system components included in or connected to cardholder data. If an
organization accept or process payment cards, PCI DSS applies to that organization. (from PCI DSS
Quick Reference Guide - 2016)
Currently at version 3.2, PCI DSS is the global data security standard adopted by the payment card
brands for all entities that process, store or transmit cardholder data and/or sensitive authentication
data. It consists of steps that mirror security best practices.
Table 2 - PCI DSS Requirements
Goals PCI DSS Requirements
Build and Maintain a
Secure Network and
Systems
1. Install and maintain a firewall configuration to protect cardholder
data
2. Do not use vendor-supplied defaults for system passwords and
other security parameters
Protect Cardholder Data 3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public
networks
Maintain a Vulnerability
Management Program
5. Protect all systems against malware and regularly update anti-virus
software or programs
6. Develop and maintain secure systems and applications
Implement Strong Access
Control Measures
7. Restrict access to cardholder data by business need to know
8. Identify and authenticate access to system components
9. Restrict physical access to cardholder data
RECOMMENDATIONS OF LEADING STANDARDS ON DIGITAL SECURITY POLICIES | 6
Goals PCI DSS Requirements
Regularly Monitor and
Test Networks
10. Track and monitor all access to network resources and
cardholder data
11. Regularly test security systems and processes
Maintain and Information
Security Policy
12. Maintain a policy that addresses information security for all
personnel
REASON FOR SELECTION
Payment cards (and by extension payment card brands) dominate the digital payment ecosystem.
They are entrenched in banks and other financial institutions due to the trust of consumers in their
brands. The card brands have clout in the card payment supply chain in enforcing their security
requirements.
Below is the 2015 worldwide purchase volume of all the card brands and the projection of increase
in 10 years.
7 | RECOMMENDATIONS OF LEADING STANDARDS ON DIGITAL SECURITY POLICIES
Below is the share of each of the major card brands in the 2016 Purchase transactions
Although exact number of PCI DSS certificates and adopters in the Philippines cannot be
ascertained, the dominant card brands of MasterCard and Visa do enforce compliance of the security
requirements as entry to the supply chain of their ecosystem.
Acknowledging the specific controls required by PCI DSS would be helpful in adoption of
organizations under the card brands’ supply chain organizations.
RECOMMENDATIONS OF LEADING STANDARDS ON DIGITAL SECURITY POLICIES | 8
GUIDANCE ON CYBER RESILIENCE FOR FINANCIAL MARKET INFRASTRUCTURES BY
COMMITTEE ON PAYMENTS AND MARKET INFRASTRUCTURES
BACKGROUND OF THE STANDARD
This Standard contains specific cyber resiliency controls for Financial Market Infrastructure (FMIs).
When the operations of FMIs
become compromised, it create
shocks across domestic and
international financial market with
varying degrees of negative impact.
These adverse impacts may occur in
the form of liquidity dislocations and
credit losses. The level of cyber
resilience of a financial system
contributes to the operational
resiliency of FMIs which is a decisive
factor in the overall resilience of FMIs
and the broader economy.
The Cyber Resilience Framework for
Financial Market Infrastructure (CRF-
CPMI) is clearly articulated by
examining the five primary category of risk management: Governance, Identification, Protection,
Detection, Response and Recovery over three
overarching components/activities: Testing,
Situational Awareness and Learning and
Evolving (See Figure 1 Cyber resilience
guidance component). These have been drawn out from the Principles for Financial Market
Infrastructures (PFMI) which was published in 2012 by the Committee on Payment and Settlement
Systems (CPSS) now known as CPMI.
This Standard can be applied to other types of infrastructure that have not been formally covered by
the report. The FMIs that have been defined under the PFMI include but not limited to systemically
important payment systems, central securities depositories (CSDs), securities settlement systems
(SSSs), central counterparties (CCPs) and trade repositories (TRs). The cyber resilience of an FMI is
dependent on the interconnections with other FMIs. The extensive interconnections in the financial
systems necessitate collaboration between FMIs and their stakeholders to promote understanding
and support of resilience objectives and their implementation (Guidance on Cyber Resilience for
Financial Market Infrastructures, BIS - IOSCO 2016). Thus, cyber resiliency of the financial systems have
broader relevance across all interconnected FMIs.
Table 3-1 and Table 3-2 provide the general overview of these controls from CRF-CPMI. These are
controls can also be supplemented with controls from other Standards.
Figure 1 Cyber resilience guidance component
9 | RECOMMENDATIONS OF LEADING STANDARDS ON DIGITAL SECURITY POLICIES
Table 3-1 Risk Management Categories and Subcategories
Risk
Management
Sub-Category Elements
Governance Cyber resilience
framework
❏ Cyber resilience framework that determines and clearly
articulates its cyber resilience objectives and cyber risk
tolerance
❏ Cyber is more than just ICT but covers people and processes
❏ Enterprise risk management should be consistent with its
enterprise operational risk management framework
❏ FMIs ecosystem takes an integrated approach and
comprehensive views of potential threats that it faces.
❏ International and national standards are for benchmarking the
designs of a cyber resilient framework of an FMI
❏ Risk management governance defines the roles and
responsibilities including accountability for decision-making
which includes managing cyber risk including emergencies and
in crises
❏ Audits and compliance enables the FMI to determine the
adequacy and measure the effectiveness of its cyber resilience
framework using relevant metrics and maturity models as well
as the results of its testing programs.
Role of the board and
senior management
❏ Board and senior management have ultimate responsibilities for
setting the cyber resilience framework and ensure that cyber
risk is effectively managed
❏ Culture that is cultivated by the FMIs board and senior
management results to a strong level of awareness and of
commitment to cyber resilience
❏ Skills that are appropriate to the effective oversight of the FMIs
cyber resilience framework and cyber risk profile are developed
for the board and senior management
❏ Accountability and responsibility are given to a senior executive
designated for executing the cyber resilience framework within
the organization and must posses the requisite expertise and
knowledge to competently plan and execute the cyber resilience
initiative. This role should have sufficient authority,
independence, resources and access to the board
Identification Identification and
classification
❏ Identification of business functions and processes are identified
and risk assessment are conducted
❏ Identification of information assets and related access are
conducted to maintain current inventory of information assets,
system configurations, interconnections with other internal
systems and external systems. A log of both individual and
system credentials are maintained and are kept up to date.
❏ Regular review and update of the list of critical business
processes, functions, individual system credential and inventory
of its assets through the integration of identification efforts
Interconnections ❏ Impact from and on an FMI’s ecosystem that are directly and
indirectly interconnected with the systems and processes of the
entities within its ecosystem are identified and risk assessment
conducted to design and implement a cyber resilient ecosystem
RECOMMENDATIONS OF LEADING STANDARDS ON DIGITAL SECURITY POLICIES | 10
Risk
Management
Sub-Category Elements
Protection Protection of
processes and assets
❏ Controls that are appropriate, suitable, and in line with leading
practice cyber resilience standards minimize the likelihood and
impact of a successful cyber attack against FMIs and on its
identified critical business functions, information assets and data.
These protective controls should be proportionate to the FMI’s
threat landscape and systemic role in the financial system and
consistent with its risk tolerance
❏ Resilience by design considers rigorous testing against related
security standards that begin from the ground up during system
process and product design as one of the best practices. It
ensures that attack surfaces are limited to the extent practicable
and that common information security principles relating to
confidentiality, integrity and availability are adhered.
❏ Strong ICT controls are maintained consistently since these are
a fundamental and critical component of an FMI’s overall cyber
resilience. These include but not limited to protecting
information, change management, security settings consistent
with levels of protection, etc.
❏ Layered protection that facilitates response and recovery are
enabled to monitor and detect any anomalous activity across
multiple layers of the FMI’s infrastructure and this requires a
baseline profile of system activity. Also segmenting network in a
manner that segregates systems and data of varying criticality
have multiple benefits, both by helping the FMI to insulate
systems in one segmentation from a security compromise in
other segments, and by facilitating more efficient recovery of
services.
Interconnections ❏ Risks from interconnections require the implementation of
protective measures to mitigate risks arising from the entities
within its ecosystem. Appropriate controls for each entity
depends on the risks that arises from the connected entity and
the nature of the relationship with the entity. The systemic
importance and unique position in the financial system dictate
that FMIs ensure that suitable measures are implemented to
mitigate effectively the risks arising from its connected entities
including:
a) Participation requirements of an FMI’s are designed to
ensure that they adequately support its cyber resilience
framework
b) The FMI’s framework designed to address and mitigate
cyber risks. These cyber considerations are integral part of
the FMI’s arrangements for managing vendors and vendor
products in the areas of contracts, performance,
relationships and risks.
Insider Threats ❏ Security analytics are used to implement measures to capture
and analyze anomalous behavior by persons with access to its
systems. Data loss identification and prevention techniques are
deployed to protect against the removal of confidential data
from the FMI’s network
❏ Changes in the employment status are conducted including the
screening of new employees. Similar checks are done on all staff
11 | RECOMMENDATIONS OF LEADING STANDARDS ON DIGITAL SECURITY POLICIES
Risk
Management
Sub-Category Elements
at regular intervals throughout their employment,
commensurate to their access to critical systems
❏ Access control for both the physical and logical access to
systems are permitted only for individuals who are authorized,
and authorization are limited to individuals who are
appropriately trained and monitored. Strong controls are
instituted that reliably restrict such access to systems and over
privileged systems.
Training ❏ All staff of an FMI that are either permanent or temporary
receive training to develop and maintain appropriate awareness
of and competencies for detecting and addressing cyber-related
risks. They are also trained on how to report any unusual
activity and incidents
❏ High-risks groups with access to privileged systems or are in
sensitive business functions are identified and receive target
information security training
Detection Detecting a cyber
attack
❏ Continuous monitoring enables the ability to detect anomalous
activities and events
❏ Comprehensive scope of monitoring relevant internal and
external factors
❏ Layered detection provide the ability for early detection of
intrusion and critical to the swift containment and recovery.
Effective intrusion detection capability assists FMIs in identifying
deficiencies in their protective measures for early remediation
❏ Incident response of an FMI is largely dependent on its
monitoring and detection capabilities
❏ Security analytics implement measures that capture and analyze
anomalous behavior by persons with access to the corporate
network
Response and
Recovery
Incident response,
resumption and
recovery
❏ Incident response planning include thorough investigation to
determine the nature and extent as well as the damage inflicted.
From detection to damage containment until recovery depend
on response planning
❏ Resumption within two hours are planned and tested against the
goals and objectives of the sound functioning of the financial
systems when operations resume
❏ Contingency planning includes planning of scenario with suitable
and appropriate activities when objectives that have been set
are not met accordingly
❏ Planning and preparation are developed and response tested to
determine its suitability and safe resumption of critical functions
and operations of the FMIs after containment
Design elements ❏ Design and business integration of process and control for
critical functions and operations support incident response
activities. The FMIs incident response, resumption and recovery
processes are closely integrated with crisis management,
business continuity, and disaster recovery planning and recovery
operations, and coordinated with relevant internal and external
operations
❏ Data integrity are safeguarded by stringent protective and
detective controls. Cyber resilience framework of an FMI
RECOMMENDATIONS OF LEADING STANDARDS ON DIGITAL SECURITY POLICIES | 12
Risk
Management
Sub-Category Elements
include data recovery measures. Recovery point objectives
(RPO) support integrity that are consistent with the FMI’s
resumption time objectives (RTO) for critical operations
through diverse approach that achieve the objectives.
Interconnections ❏ Data-sharing agreements are mechanisms that are set up in
advance with relevant parties or participants to enable
uncorrupted data to be retrieved and received in a timely
manner once a successful cyber attack has been identified
❏ Contagion risk are inherent to an interconnected and
interdependent internal and external systems of FMIs
❏ Crisis communication plan are developed in advance through an
adaptive process informed by scenario-based planning and
analysis as well as prior experiences. The FMIs are consciously
aware that rapid escalation of cyber incidents are dynamic in
nature. Therefore, decision making responsibilities for incident
response are determined in advance and a clearly defined
escalation and decision making procedures are implemented
❏ Responsible disclosure policy and procedure enable the
responsible disclosure of potential vulnerabilities. These
disclosures are prioritized to facilitate early response and risk
mitigation by stakeholders
❏ Forensic readiness of FMIs to assist in or conduct forensic
investigations of cyber incidents and engineer protective and
detective controls to facilitate the investigative process are
established. Relevant system logging policies are maintained
along with the corresponding retention period. Appropriate
steps are also taken so that investigations can be performed
during post event to the extent possible i.e. through
preservation of necessary system logs and evidence
13 | RECOMMENDATIONS OF LEADING STANDARDS ON DIGITAL SECURITY POLICIES
Table 3-2 Overarching Activities and Sub-Activities
Overarching
Activities
Sub-Activities Elements
Testing Comprehensive testing
programmes
❏ Testing program are established and these comprehensive
testing program are used to validate the effectiveness of its
cyber resilience framework on a regular and frequent basis.
Appropriate cyber threat intelligence to inform its testing
methods are employed. Results of these testing programs are
used by the FMI to support ongoing improvement of its cyber
resilience. These include but not limited to: business continuity,
incident and crisis response teams and the relevant entities in
its ecosystem. The board and senior management are involved
in this process as may be appropriate and they are informed of
the test results
❏ Methodologies and practices of FMIs employ various effective
testing methodologies and practices, including the following
which may partly overlap or can be combined:
a) Vulnerability assessment
b) Scenario based testing
c) Penetration testing
d) Red team tests
Coordination ❏ Coordination are planned and promoted to the extent
applicable and organize and manage exercises designed to test
its response, resumption and recovery plans and processes.
These exercises include FMI participants, critical service
providers and linked FMIs. To achieve market-wide timely
recovery of operations calls for an added dimension to testing
exercises. Also, testing include scenarios that cover breaches
affecting multiple portions of the FMI’s ecosystem
RECOMMENDATIONS OF LEADING STANDARDS ON DIGITAL SECURITY POLICIES | 14
Overarching
Activities
Sub-Activities Elements
Situational
awareness
Cyber threat
intelligence
❏ Identification of potential cyber threats are conducted that
materially affect its ability to perform or to provide services as
expected or have a significant impact on its ability to meet its
own obligations or have knock-out effects within its ecosystem.
Threats to the confidentiality, integrity and availability of the
FMI’s business processes and to its reputation can arise from
internal and external source. Threat analysis are also included
based from the threats that can trigger extreme but plausible
cyber events, even if it is considered unlikely to occur or have
never occurred in the past. Regular review and update of the
analysis are conducted by FMIs
❏ Threat intelligence process are established as a process to
gather and analyse relevant cyber threat information. The
analysis are in conjunction with other sources of internal and
external business and system information so as to provide
business-specific context, turning the information into usable
threat intelligence that provides timely insights and informs
enhance decision-making. This is done by enabling FMI to
anticipate a cyber attacker’s capabilities, intentions and modus
operandi
❏ Scope of cyber threat intelligence gathering includes the
capability to gather and interpret information about relevant
cyber threats arising from the FMI’s participants, service and
utility providers and other FMIs and to interpret this
information in ways that allow the FMI to identify, assess and
manage security threats and vulnerabilities for the purpose of
implementing appropriate safeguards in its systems. Relevant
information within this context include information on
geopolitical developments that may trigger cyber attacks on any
entity within the FMI’s ecosystem
❏ Effective use of information is based on making cyber threat
intelligence available to appropriate staff with responsibility for
the mitigation of cyber risks at the strategic, tactical and
operational levels within the FMI. Cyber threat intelligence are
used to ensure that the implementation of any cyber resilience
measures is threat-informed. It enables an FMI to validate and
inform the prioritization of resources, risk mitigation strategies
and training programs
15 | RECOMMENDATIONS OF LEADING STANDARDS ON DIGITAL SECURITY POLICIES
Overarching
Activities
Sub-Activities Elements
Information sharing ❏ Planning ahead enables to facilitate sector-wide response to
large-scale incidents. Information sharing are planned
accordingly through trusted channels in the event of an incident,
collecting and exchanging timely information that can facilitate
the detection, response, resumption and recovery of its own
systems and those of other sector participants during and
following a cyber attacks. The reporting requirements and
capabilities are consistent with information-sharing
arrangements within the FMI’s communities and the financial
sector
❏ Information-sharing groups and its collectives are actively
participating together with the FMIs including cross-industry,
cross-government and cross-border groups to gather, distribute
and assess information about cyber practices, cyber threats, and
early warning indicators relating to cyber threats.Multilateral
information arrangements are designed to facilitate a sector-
wide response to large-scale incidents
Learning and
Evolving
Ongoing learning ❏ Lessons from cyber events are systematically identified and key
lessons are distilled from cyber events that have occurred
within and outside the organization in order to advance its
resilience capabilities. These include useful learning points that
are often gleaned from successful cyber intrusions and near
misses in terms of the methods used and vulnerabilities
exploited by cyber attackers
❏ Acquiring new knowledge and capabilities are actively
conducted including monitoring of technological developments
by keeping abreast of new cyber risk management processes
that can effectively counter existing and newly developed forms
of cyber attack. Technology and know-how to maintain its
cyber resilience are acquired by an FMI
❏ Predictive capacity takes precedence over reactive controls.
This include the proactive protection against future cyber
events. Predictive capabilities and anticipation of future cyber
events are based on analyzing activity that deviates from the
baseline. To achieve predictive capabilities, data captured from
multiple internal and external sources are conducted and
baseline are conducted for behavioral and system activity
Cyber resilience
benchmarking
❏ Metrics and maturity models allows an FMI to assess its cyber
resilience maturity against a set of predefined criteria, typically
its operational reliability objectives. This benchmarking requires
an FMI to analyze and correlate findings from audits,
management reviews, incidents, near misses, test and exercises
as well as internal and external intelligence gathered. The use of
metrics enables an FMI to identify gaps in its cyber resilience
framework for remediation, and allow an FMI to systematically
evolve and achieve more mature states of cyber resilience
RECOMMENDATIONS OF LEADING STANDARDS ON DIGITAL SECURITY POLICIES | 16
REASON FOR SELECTION
The digital transformation has two technological pillars, digitization and interconnection and is
complemented by a growing ecosystem of interrelated technologies (OECD Digital Economic Outlook,
2017). The disruptive business brought about by the digital social and economic landscape has been
transformed to greater heights and made the stakes higher. The proliferation of the mobile
technology, the digitization of financial services and the global interconnectivity drive E-commerce
and social commerce worldwide, and in part enabled by digital payments (PAYPAL, APAC Research
Report, 2017). The CRF-CPMI prescribes the controls suitable for financial systems and FMIs to
develop a robust and resilient cyber framework. Similarly, the Standard addresses some of the areas
for consideration:
❏ Convergence of different communication technologies
❏ Internet of Things (IoT)
❏ Consumer trust
❏ Digital innovation stimulates economic activities across the cyber ecosystem
This Standard works in tandem with the NIST Cybersecurity Framework.
17 | RECOMMENDATIONS OF LEADING STANDARDS ON DIGITAL SECURITY POLICIES
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY FRAMEWORK FOR
IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY
BACKGROUND OF THE STANDARD
The national and economic security of the United States depends on the reliable functioning of
critical infrastructure. To strengthen the resilience of this infrastructure, President Obama issued
Executive Order 13636 (EO), “Improving Critical Infrastructure Cybersecurity,” on February 12,
2013. This Executive Order calls for the development of a voluntary Cybersecurity Framework
(“Framework”) that provides a “prioritized, flexible, repeatable, performance-based, and cost-
effective approach” to manage cybersecurity risk for those processes, information, and systems
directly involved in the delivery of critical infrastructure services. The Framework, developed in
collaboration with industry, provides guidance to an organization on managing cybersecurity risk.
Critical infrastructure is defined in the EO as “systems and assets, whether physical or virtual, so
vital to the United States that the incapacity or destruction of such systems and assets would have a
debilitating impact on security, national economic security, national public health or safety, or any
combination of those matters.
With that the National Institute of Standards and Technology Framework for Improving Critical
Infrastructure Cybersecurity (NIST-CSF) was established. Currently at version 1.0 but has an
existing exposure draft version 1.1 (dated January 10, 2017).
Overview of the framework
The Framework is a risk-based approach to managing cybersecurity risk, and is composed of three
parts: the Framework Core, the Framework Implementation Tiers, and the Framework Profiles.
Each Framework component reinforces the connection between business drivers and cybersecurity
activities
The Framework Core is a set of cybersecurity activities, desired outcomes, and applicable
references that are common across critical infrastructure sectors. The Core presents industry
standards, guidelines, and practices in a manner that allows for communication of cybersecurity
activities and outcomes across the organization from the executive level to the
implementation/operations level. The Framework Core consists of five concurrent and continuous
Functions—Identify, Protect, Detect, Respond, Recover. When considered together, these Functions
provide a high-level, strategic view of the lifecycle of an organization’s management of cybersecurity
risk.
RECOMMENDATIONS OF LEADING STANDARDS ON DIGITAL SECURITY POLICIES | 18
Framework Implementation Tiers (“Tiers”) provide context on how an organization views
cybersecurity risk and the processes in place to manage that risk. Tiers describe the degree to which
an organization’s cybersecurity risk management practices exhibit the characteristics defined in the
Framework (e.g., risk and threat aware, repeatable, and adaptive). The Tiers characterize an
organization’s practices over a range, from Partial (Tier 1) to Adaptive (Tier 4). These Tiers reflect a
progression from informal, reactive responses to approaches that are agile and risk-informed. During
the Tier selection process, an organization should consider its current risk management practices,
threat environment, legal and regulatory requirements, business/mission objectives, and
organizational constraints.
A Framework Profile (“Profile”) represents the outcomes based on business needs that an
organization has selected from the Framework Categories and Subcategories. The Profile can be
characterized as the alignment of standards, guidelines, and practices to the Framework Core in a
particular implementation scenario. Profiles can be used to identify opportunities for improving
cybersecurity posture by comparing a “Current” Profile (the “as is” state) with a “Target” Profile
(the “to be” state). To develop a Profile, an organization can review all of the Categories and
Subcategories and, based on business drivers and a risk assessment, determine which are most
important; they can add Categories and Subcategories as needed to address the organization’s risks.
The Current Profile can then be used to support prioritization and measurement of progress toward
the Target Profile, while factoring in other business needs including cost-effectiveness and
innovation. Profiles can be used to conduct self-assessments and communicate within an organization
or between organizations.
REASON FOR SELECTION
The advantage of the framework is it fits all organizations regardless of size or industry. It’s flexible
and easily adoptable to existing programs. It’s also cost-effective. Outside of maybe a few
technological upgrades, the Framework is a concept and not a product. It’s a business strategy that
measures the bottom line of security efforts and identifies desired outcomes by utilizing three
primary components: the Core, Implementation Tiers, and Profiles. Each component works together
19 | RECOMMENDATIONS OF LEADING STANDARDS ON DIGITAL SECURITY POLICIES
in creating an overall strategy that includes things like risk-assessment, asset management, access
control, employee training, policies, and incident response.
(https://www.thesecurityawarenesscompany.com/2017/08/03/5-reasons-organization-adopt-nist-
cybersecurity-framework/ )
This framework together with ISO 27001 can aid larger organizations in creating a customized
implementation plan for cyber security. This framework has more prescriptive steps/activities in
establishing an acceptable cyber security posture.
CONCLUSION
All the standards that have been selected have similarities. Although the statements may have been
framed quite differently but the intents and objectives are the same, and that is to achieve the state
of cyber resiliency. We have summarized these requirements into three main points as follows:
○ Required from management
■ Leadership and commitment
■ Risk Awareness
■ Clear Assignment to specific persons information security responsibilities
■ Financial investment in security
■ Awareness to critical assets, information and processes
■ Treatment of information as an asset, just like land/labor/capital, and thus
require appropriate risk management approach
■ Firm and defined information security/cyber resiliency risk appetite and
threshold setting
○ Required for successful implementation
■ Risk Management and proper prioritization of mitigation measures
■ Policies and procedures
■ Risk and Security culture versus security awareness
■ Acceptance by all levels of the organization of their responsibility for
information security
■ Mature skills development system for the people behind IT systems
■ Established MIS to generate appropriate information security/cyber
resiliency reports to Management
■ Periodic testing of information security/cyber resiliency processes toward
continuing improvement
○ Required readiness and capability
■ To expect the unexpected, and prepare for disruptive technologies that may
radically change how we understand how things work, like how
cryptocurrency and blockchain systems demand different implementation of
Confidentiality/Integrity/Availability/Privacy
■ The development and emerging use of quantum computing which will
potentially break all known cryptographic protections of today
■ Ability to adapt to upcoming standards for digital evidence that will require
for financial transactions, fraud disputes, or criminal case proceedings.
■ Industry wide information sharing and collaboration.
RECOMMENDATIONS OF LEADING STANDARDS ON DIGITAL SECURITY POLICIES | 20
For the successful implementation of any controls and corresponding activities to achieve this, the
management’s commitment is an indicator of the level of commitment as well as the degree of
success it can be accomplished. It is therefore prudent that any regulation that is developed must
contain these requirements including the methods to achieve what is required.
REFERENCES / SOURCES
The ISO Survey of Management System Standard Certifications 2016, September 2017
http://siteresources.worldbank.org/FINANCIALSECTOR/Resources/282044-
1323805522895/121534_text_corrections_3-15.pdf
http://www.treasuryalliance.com/assets/publications/payments/Fundamentals_of_Payment_Systems.p
df
http://www.oecd.org/competition/PaymentSystems2012.pdf
http://www.cardrates.com/news/credit-card-companies/
http://www.barrons.com/articles/good-news-for-visa-and-mastercard-as-card-spending-grows-
1478628528
http://knowledge.ckgsb.edu.cn/2015/03/31/finance-and-investment/wholl-win-visa-and-mastercard-
versus-unionpay/
https://www.nilsonreport.com/publication_chart_and_graphs_archive.php?1=1&year=2017
https://www.usaid.gov/philippines/partnership-growth-pfg/e-peso-activity
http://www.verizonenterprise.com/verizon-insights-lab/payment-security/2017/
https://www.thesecurityawarenesscompany.com/2017/08/03/5-reasons-organization-adopt-nist-
cybersecurity-framework/
https://www.nist.gov/cyberframework
https://www.pcisecuritystandards.org/documents/PCI%20SSC%20Quick%20Reference%20Guide.pdf
https://www.bis.org/cpmi/publ/d146.pdf [Guidance on cyber resilience for financial market
infrastructures]
ISO/IEC 27001:2013 [Requirements for an Information Security Management System]
http://www.dict.gov.ph/national-cybersecurity-plan-2022/
http://www.dict.gov.ph/inventory-of-published-policies/