Cyber Resilience Assessment Framework - (C-RAF) 2.0 - Deloitte
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Cyber Resilience Assessment Framework (C-RAF) 2.0 Risk Advisory June 2021
Key updates on C-RAF 2.0
The Hong Kong Monetary Authority (the "HKMA") released the Cyber Resilience Assessment Framework (C-RAF) 2.0 in November 2020.
Banks will need to begin their implementation efforts now. And, we are here to help.
Group 1* Group 2 Group 3
Inherent Risk Assessment and Maturity
End-September 2021 End-June 2022 End-March 2023
Assessment
iCAST (applicable to AIs with inherent risk
End-June 2022 End-March 2023 End-December 2023
level assessed to be "medium" or "high")
* Group 1 will cover all major retail banks, selected foreign bank branches and new authorized institutions which have not undertaken the C-RAF assessments
before. The rest will be included in Group 2 or 3 depending on their scale of operation and cyber risk profile. The HKMA will inform AIs individually of their
assigned grouping.
Inherent Risk Assessment ("IRA") Maturity Assessment ("MA")
The inherent risk assessment comprise The maturity assessment covers seven
five categories. The result of the key domains which are designed to
inherent risk assessment will reflect AIs' provide a comprehensive review of the
cybersecurity threat level, determine its entire operating environment, and
cyber risk exposure, and required places emphasis on a sound governance
cybersecurity controls. framework.
Major changes:
C-RAF 2.0 Major changes:
• "Upward Override" mechanism • Supplemented with control
• Refined the indicator criteria and objectives for each control principle
definitions • Introduced new control principles
• Refined the calculation methodology and enhanced existing control
of inherent risk level principles (e.g. virtualisation security,
IoT security)
• Offered flexibility to leverage group/
headquarters' assessment result
Intelligence-led Cyber Attack Simulation Testing ("iCAST")
The HKMA has made reference to overseas practices and regulations in enhancing the iCAST approaches. AIs which aim to attain
"intermediate" or "advanced" maturity level are required to conduct the iCAST exercise.
Major changes:
• Elaborated guidance on testing approach • Blue Team Report & 360 Degree Replay Workshop
• Preparation of a Tailored Threat Intelligence Report
How Deloitte can help
Implementation and Incident Response
support Service
IRA, MA and iCAST
Assessment
Remediation strategy Managed Security
and planning Services
Inherent Risk Assessment
There are three major changes of the inherent risk assessment in C-RAF 2.0.
Refined the indicator criteria Refined the calculation
"Upward Override" mechanism
and definitions methodology of inherent risk level
AIs can choose to be exempted from The new IRA introduced the new Additional calculation rule of inherent
conducting the IRA if they opt-in to adopt assessment criteria for AIs in calculating risk level will be implemented: If the
"high" inherent risk level, and proceed to the inherent risk, including wireless number of "low" risk assessment criteria
conduct maturity assessment and iCAST network access, Internet presence, is less than or equal to the total number
exercise directly. social media presence, Automated Teller of "medium" and "high" risk level, the
Machines (ATM) (Operation), and wire inherent risk level should be adjusted to
transfers. "medium".
Maturity Assessment
• Risk identification – identify critical assets, process and the relevant threats and
vulnerabilities regularly with methodological approach and tools
Manage cyber risk of IT • Risk treatment – implement process and control to manage cyber risk on risk-based
environment and assets approach, ensure risk mitigation, risk transfer, or risk acceptance process are performed
commensurate with the AI's risk tolerance
• Risk monitoring – maintain a risk register to monitor and review the risk exposure and
mitigation effectiveness
In C-RAF 2.0, the HKMA offered • Strengthen the preventive and detection controls on remote access, wireless access,
flexibility for AI to leverage the mobile access, physical access, and cryptographic key management to prevent
assessment result performed IT environment
unauthorized access or operations
by AI’s group, headquarters or protection and
• Establish policies and controls to govern the use of virtualization technology and
other offices to reduce the detection
Internet of Things
efforts in performing C-RAF.
The HKMA also supplemented
• Implement protection mechanism on external connections to limit the attack surface
control objectives for each
control principles to clarify the Third party risk • Conduct adequate due diligence on third party service providers' cybersecurity
management capability, personnel competency, security controls and infrastructure resiliency on a
control requirement, and
introduced a series of ongoing basis
enhancement on the control
objectives. Here are the key • Governance and preparation of incident response and recovery – established accountability
changes that may impact you: across the institutions, including the board and senior management, and detail requirements
on IR plans and playbooks
• Analysis, mitigation, and restoration – in addition to analysis and mitigation, AI should also
Response and
strengthen the restoration and quality assurance testing controls
recovery
• Cyber forensics – established processes and controls for the collection, investigation, analysis,
protection, retention and storage of forensic evidence
• Communication and improvement – identify opportunities to improve response and recovery
from the lessons learned from cyber incidents and simulation exercises
Intelligence-led Cyber Attack Simulation Testing (iCAST)
1. Elaborated guidance on testing approach 2. Preparation of a tailored threat intelligence report
There will be five phases in the new iCAST exercise: C-RAF 2.0 provided a sample table of content for the iCAST Simulation Test
Report, which included:
Preparation and scoping • Executive summary
Key output: finalized Control Group terms of reference and • Scenario walkthrough
scoping table. • Detail technical findings
Development of Tailored Threat Intelligence
The report should also contain:
Key output: Tailored Threat Intelligence Report.
• the sources of information for remediation, clean-up activity planning,
and execution;
Development of Testing Scenarios
• recommendations for remediation, drawing on the iCAST testers’
Key output: iCAST test plan and testing scenarios.
expertise and experience; and
• a timeline showing how the attack as it unfolds.
Test Execution
Key output: first draft of the iCAST Simulation Test Report.
3. Blue Team Report and 360 Degree Replay Workshop
AIs were required to prepare a Blue Team Report with reference to their
Closure
iCAST Stimulation Test Report to map the action taken by the team with the
Key output: finalised iCAST Simulation Test Report, Blue actions taken by the iCAST testers. A 360 Degree Replay Workshop between
Team Report, materials and minutes of the 360 Degree the Control Group, iCAST testers and Blue Team should be conducted to
Replay Workshop, and the improvement plan. learn from the testing experience in collaboration with the iCAST testers.
Contact us
Yat Man CHAN Luke MA
Risk Advisory Risk Advisory
Partner Partner
Tel: 852 2238 7268 Tel: 852 2852 1086
ymchan@deloitte.com.hk lukema@deloitte.com.hk
About Deloitte
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”), its global network of member firms, and their related entities
(collectively, the “Deloitte organization”). DTTL (also referred to as “Deloitte Global”) and each of its member firms and related entities are legally
separate and independent entities, which cannot obligate or bind each other in respect of third parties. DTTL and each DTTL member firm and
related entity is liable only for its own acts and omissions, and not those of each other. DTTL does not provide services to clients. Please see
www.deloitte.com/about to learn more.
Deloitte is a leading global provider of audit and assurance, consulting, financial advisory, risk advisory, tax and related services. Our global
network of member firms and related entities in more than 150 countries and territories (collectively, the “Deloitte organization”) serves four out
of five Fortune Global 500® companies. Learn how Deloitte’s approximately 330,000 people make an impact that matters at www.deloitte.com.
Deloitte Asia Pacific Limited is a company limited by guarantee and a member firm of DTTL. Members of Deloitte Asia Pacific Limited and their
related entities, each of which are separate and independent legal entities, provide services from more than 100 cities across the region, including
Auckland, Bangkok, Beijing, Hanoi, Hong Kong, Jakarta, Kuala Lumpur, Manila, Melbourne, Osaka, Seoul, Shanghai, Singapore, Sydney, Taipei and
Tokyo.
The Deloitte brand entered the China market in 1917 with the opening of an office in Shanghai. Today, Deloitte China delivers a comprehensive
range of audit & assurance, consulting, financial advisory, risk advisory and tax services to local, multinational and growth enterprise clients in
China. Deloitte China has also made—and continues to make—substantial contributions to the development of China's accounting standards,
taxation system and professional expertise. Deloitte China is a locally incorporated professional services organization, owned by its partners in
China. To learn more about how Deloitte makes an Impact that Matters in China, please connect with our social media platforms at
www2.deloitte.com/cn/en/social-media.
This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited (“DTTL”), its global network of member
firms or their related entities (collectively, the “Deloitte organization”) is, by means of this communication, rendering professional advice or
services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified
professional adviser.
No representations, warranties or undertakings (express or implied) are given as to the accuracy or completeness of the information in this
communication, and none of DTTL, its member firms, related entities, employees or agents shall be liable or responsible for any loss or damage
whatsoever arising directly or indirectly in connection with any person relying on this communication. DTTL and each of its member firms, and
their related entities, are legally separate and independent entities.
© 2021. For information, contact Deloitte China.
Designed by CoRe Creative Services. RITM0730588
You can also read
