FDIC Information Security and Privacy Strategic Plan: 2018-2021: Introduction
Congress created the FDIC in the Banking Act of 1933 to maintain stability and public confidence in the nation’s banking system. Information security and privacy are key elements for the success of FDIC’s core programs. The FDIC must ensure that strong security and privacy controls protect the information used in the course of carrying out its responsibilities. The FDIC Mission and Vision statements are below.
|FDIC Mission||FDIC Vision|
The Federal Deposit Insurance Corporation (FDIC) is an independent agency created by the Congress to maintain stability and public confidence in the nation’s financial system by: insuring deposits, examining and supervising financial institutions for safety and soundness and consumer protection, and managing receiverships.
The FDIC is a recognized leader in promoting sound public policies, addressing risks in the nation’s financial system, and carrying out its insurance, supervisory, consumer protection, and receivership management responsibilities.
Cybersecurity incidents are a growing threat to consumers, financial institutions, other businesses, and financial market utilities, as well as government agencies, including the FDIC. The FDIC maintains sensitive financial, supervisory, and personal information in the conduct of its mission. The FDIC must continue to enhance its responsiveness to the increasing number of threats to the security, privacy, and integrity of its large holdings of sensitive information, while ensuring sustainability of operations.
The Office of the Chief Information Security Officer (OCISO), part of the Chief Information Officer (CIO) Organization (CIOO), ensures the security and privacy of FDIC information assets, regardless of location, against unauthorized access, use, disclosure, modification, damage, or loss. These protections enable FDIC Divisions and Offices to securely achieve the FDIC mission. To accomplish this, OCISO advances FDIC enterprise policy and guidance; ensures a common enterprise security architecture informs solution selection and design; educates FDIC personnel about information security and privacy; assists in strengthening safeguards; and responds to breaches and information security incidents and events that endanger the FDIC’s information assets. The OCISO mission and CIOO vision, which are aligned to and support the FDIC mission and vision, are provided below.
|OCISO Mission||CIO Organization Vision|
The mission of the Office of the Chief Information Security Officer (OCISO) is to provide enterprise-wide information security and privacy programs that assure integrity, confidentiality, and availability of corporate information by proactively protecting the assets from unauthorized access and misuse.
To provide scalable, efficient technology that enables continuous access to data securely from any place at any time.
The FDIC conducted a gap analysis as a precursor to developing the Information Security and Privacy Strategic Plan (ISP SP), which focused on the various federal requirements for strengthening an organization’s cybersecurity and privacy posture. Specifically, it focused on alignment to the NIST Framework for Improving Critical Infrastructure Cybersecurity (known as the Cybersecurity Framework [CSF]) as mandated by Executive Order 13800, the Office of Management and Budget’s (OMBs) A-130 Circular Managing Information as a Strategic Resource Appendix II (General Requirements, which specify privacy responsibilities), andOMB’s M-16-04 Cybersecurity Strategy and Implementation Plan (CSIP) for the Federal Civilian Government five cybersecurity strategic objectives. The goals and objectives of the FDIC ISP SP are aligned with the federal requirements conveyed in these guidance documents.
In addition, the ISP SP and its emphasis on the protection of FDIC’s information assets from unauthorized use, disclosure, modification, damage, and loss is in direct alignment with the FDIC Information Technology (IT) Strategic Plan 2017-2020 (ITSP), which supports the 2017 -2020 FDIC Strategic Plan. The first goal of the FDIC ITSP focuses on ensuring that, “Information security and privacy are ingrained in FDIC culture ensuring IT solutions are secure by design and cyber risks are well-understood, managed, and minimized in accordance with business needs.” The ITSP goals and objectives, to which this plan aligns, are illustrated in Figure 2 below.
Figure 2 FDIC ITSP OverviewWhile the ISP SP is most directly aligned to the first ITSP goal of Information Security and Privacy, it also supports other ITSP goals and cross-cutting themes.
- ISP SP Goal 1, “Protect FDIC information assets, manage threats, and sustain business operation” contributes to the second ITSP goal of Continuity of Operations and the third goal of Enterprise Mobility.
- ISP SP Goal 2, “Continuously improve programs, processes, and tools to strengthen FDIC’s cybersecurity and privacy posture,” supports the ITSP goals of Enterprise Mobility, Information Management and Analytics, and the theme of Innovation.
- ISP SP Goal 3, “Cultivate a workforce that is prepared to protect the FDIC from existing and emerging threats and challenges,” is consistent with the ITSP theme of Collaboration.
Appendix A includes a more detailed traceability matrix between the ISP SP and ITSP
This plan sets priorities for the FDIC to efficiently and effectively address the management, control, and protection of the FDIC’s information assets. In addition, this document outlines the strategic goals and objectives for future initiatives and identifies the components necessary to iteratively improve the security and privacy posture of the FDIC, in support of the business divisions and offices.