Skip Header

Federal Deposit
Insurance Corporation

Each depositor insured to at least $250,000 per insured bank

FDIC Information Security and Privacy Strategic Plan: 2018-2021: Executive Summary



Executive Summary

The 2018-2021 Federal Deposit Insurance Corporation (FDIC) Information Security and Privacy Strategic Plan (ISP SP) directly aligns to, and supports, the FDIC Information Technology (IT) Strategic Plan 2017-2020 (ITSP). It has been developed in collaboration with the Office of the Chief Information Security Officer (OCISO) along with the Chief Information Officer (CIO) / Chief Privacy Officer (CPO).

The FDIC maintains various types of sensitive information in the course of doing business, including from both the federal and private sector. The security challenges and threat environment for FDIC’s information systems are continually evolving. To address these threats, the FDIC must continue to develop and implement comprehensive, risk-based approaches to protect the information handled in support of the FDIC mission.

This ISP SP outlines how the FDIC’s information security and privacy programs continuously evolve to protect the FDIC’s information assets and assure the confidentiality, integrity, and availability of the information vital to achieve the FDIC’s mission. The ISP SP identifies three strategic goals, with supporting objectives, developed around: (1) protecting FDIC information assets, managing threats, and sustaining business operations; (2) continuously improving programs, processes, and tools; and (3) cultivating a highly effective, enterprise-integrated cybersecurity and privacy workforce.

Privacy, Risk Management, and Governance are interwoven themes cross-cutting these three goals. These themes ensure that information security and privacy are ingrained into FDIC’s culture and are built in by design; that cyber and privacy risks are identified, well-understood, and managed; and that governance is in place to collaborate with internal and external partners and ensure sufficient cybersecurity and privacy protection implementation. The themes, along with the Strategic Goals and their supporting Strategic Objectives, can be seen in Figure 1 below.


Strategic Goals & Objectives
Strategic Goals  

1

Protect FDIC information assets, manage threats, and sustain business operations.

2

Continuously improve programs, processes, and tools to strengthen FDIC’s cybersecurity posture and privacy protection.

3

Cultivate a workforce that is prepared to protect the FDIC from existing and emerging threats and challenges.
Objectives  

1.1 Implement protections
commensurate with the sensitivity and criticality of FDIC information assets.

2.1 Maintain and augment security
monitoring, detection, and incident response functions commensurate with risks.

3.1 Implement programs that create an attractive
environment to recruit and retain highly effective
cybersecurity and privacy professionals.

1.2 Ensure OCISO capabilities effectively protect FDIC business functions using a risk-based approach. 2.2 Ensure that the security architecture evolves with the threat environment as well as information security and privacy risks. 3.2 Assess, develop, and implement training for the
cybersecurity and privacy workforce on emerging
technology, threats, and federal mandates
1.3 Enable FDIC business functions to continue executing their missions in the case of an adverse cyber event. 2.3 Ensure FDIC privacy and information security programs address emerging IT and business capabilities. 3.3 Ingrain cybersecurity and privacy within the FDIC
culture through communication and collaboration.
Cross-Cutting
Themes
Privacy Ensure compliance with applicable privacy requirements, develop and evaluate privacy policy, and manage privacy
risks.
Risk Management Focus on protecting the information assets critical to meeting FDIC’s mission to maximize reduction of impact
should cyber attacks occur.
Governance Maximize effectiveness of the security and privacy programs through measures and corresponding updates,
integration into budgeting activities, and regular communication with FDIC Divisions and Offices.

Figure 1: ISP SP Overview

A knowledgeable FDIC-wide security and privacy workforce supports OCISO’s ability to assure that FDIC business divisions and offices are able to operate securely. Knowledge of technology standards, enterprise architecture principles, and risk methodologies are particularly important. FDIC is optimizing cybersecurity and privacy skillsets by leveraging the National Institute for Science and Technology (NIST) National Initiative for Cybersecurity Education (NICE)1 and other frameworks.

A strong cybersecurity and privacy culture is critical to successfully protect FDIC information and execution of business functions. OCISO provides a governance and risk management structure designed to integrate information security and privacy considerations into decision making and an enterprise security architecture that communicates common security design principles. Communication, collaboration, and accountability are essential for establishing a culture of cybersecurity and privacy.

 

 


1 The NICE framework assists public, private, and academic organizations ensure they have the necessary cybersecurity functions, specialty areas of work, and work roles.

Printable Version
FDIC Information Security and Privacy Strategic Plan: 2018-2021 - PDF 8,696 KB (PDF Help)

eReader Versions
FDIC Information Security and Privacy Strategic Plan: 2018-2021 - For Kindle
FDIC Information Security and Privacy Strategic Plan: 2018-2021 - For Other eReaders

Skip Footer back to content