FDIC Information Security and Privacy Strategic Plan: 2018-2021: Goal 1
STRATEGIC GOAL 1
Protect FDIC information assets, manage threats, and sustain business operations.
As enablers for the FDIC Divisions and Offices to achieve their missions, information security and privacy must be balanced against business needs and ensure that the business continues to operate even under active cyber threats. Protections for information assets, which include information and technology owned by FDIC and entrusted to FDIC by outside entities, are implemented using a risk-based approach that considers the importance of the asset in achieving FDIC’s mission and aligns with enterprise architecture principles.
1.1 Strengthen protections commensurate with the sensitivity and criticality of FDIC information assets.
- Strengthen identification and classification of information assets.
- Improve identification and management of security and privacy risks.
- Augment security and privacy control mechanisms and strategies consistent with emerging threats and technology, and the enterprise security architecture.
1.2 Ensure OCISO capabilities effectively protect FDIC business functions using a risk-based approach.
- Integrate privacy requirements and align the security architecture with the FDIC’s enterprise architecture and development framework to ensure delivery of secure capabilities.
- Monitor, evaluate, and communicate the implementation of information security and privacy policies and practices across the FDIC enterprise.
- Increase communication and collaboration where information security and privacy risks and program execution intersect with business decisions and operations.
- Strengthen divisional representation in ensuring information security and privacy protections, balanced with business needs.
- Continue to track, assess, and minimize collection and retention of PII.
- Promote transparency and trust in FDIC's maintenance and protection of PII.
1.3 Enable FDIC business functions to continue executing their missions in the case of an adverse cyber event.
- Evaluate the FDIC’s regulatory, risk, environmental, and operational drivers related to business continuity.
- Adapt and implement cyber resiliency design principles within FDIC’s enterprise security architecture to improve the ability to quickly recognize, respond to, and recover from cyber attacks.
- Collaborate with DIT, business divisions and offices to ensure continuous availability of IT functions and information assets with strengthened data security.
- Evaluate FDIC compliance with recovery policies during system disruptions and outages and use lessons learned for future improvements.
Business operations are secured; information assets and infrastructure are protected; and risks are communicated, well-understood and managed.