FDIC Information Security and Privacy Strategic Plan: 2018-2021: Goal 2
STRATEGIC GOAL 2
Continuously improve programs, processes, and tools to strengthen FDIC’s cybersecurity and privacy posture.
Due to the ever-evolving threat and technology landscape, the FDIC needs to continually streamline and enhance capabilities in a cohesive, coordinated manner. With established capabilities integrated across the enterprise and communicated in an enterprise security architecture that informs the design and selection of IT investments, the FDIC will ensure that risks are addressed and information assets achieve the necessary levels of protection.
2.1 Maintain and augment monitoring, detection, and incident response functions commensurate with security and privacy risks.
- Continuously monitor FDIC information assets to maintain and enhance situational awareness to manage risk.
- Coordinate with the Division of Information Technology (DIT), business divisions and offices to address technology risks that may result in elevated security or privacy risks.
- Employ techniques to detect, contain, and respond to malicious activity and emerging threats.
- Enhance and coordinate incident response activities to quickly respond to and recover from breaches or information security incidents and minimize impact on FDIC and affected individuals.
- Improve the use of metrics and leverage information gained from incidents to enhance and update the enterprise security architecture to ensure it addresses emerging risks.
- Assess risk and impact from potential and confirmed breaches and ensure timely communications with affected parties.
- Establish and maintain an optimized tools and services inventory, to align with the FDIC enterprise security architecture and applicable guidance such as the NIST Cybersecurity Framework (CSF).
2.2 Ensure FDIC security architecture evolves with the threat environment, as well as information security and privacy risks.
- Employ mechanisms and prioritization commensurate with risk to manage system vulnerabilities through a proactive, comprehensive approach.
- Obtain and share information on cyber threats targeting the federal or financial industry.
- Proactively investigate emerging security and privacy threats for potential impact to FDIC business functions.
2.3 Ensure FDIC privacy and information security programs address emerging IT capabilities and business needs.
- Collaboratively develop, adopt, and update policies, processes, and standards to better guide implementation of protections, as well as improve and maintain compliance with applicable federal law and policy.
- Work with FDIC Divisions and Offices to identify and respond to current and emerging needs for information security and privacy.
- Continuously measure and align the information security and privacy posture with emerging technology, business needs, and industry leading practices.
- Incorporate aligned information security and privacy posture into the FDIC security architecture and technical security reference standards.
- Address privacy and cybersecurity concerns early and continuously throughout the acquisition and development lifecycles to minimize risks.
FDIC information security and privacy protection capabilities are responsive to a dynamic environment and business needs.