Happy New Year to all of our readers of the Global Regulatory Frameworks Compared Series! As a recap, in recent months, we have been taking a deep dive into the different regulatory bodies that govern the cybersecurity requirements of the Financial Sector. One of the key issues we’ve covered is the misalignment of cybersecurity standards across the board, which in turn led to the introduction of a pan-European framework that could be leveraged across the whole of the Eurozone – TIBER EU.
While the UK and Europe have a fairly coordinated approach with the CBEST and TIBER Frameworks, Asia has a slightly different approach. In part 4 of this series, we’ll be taking a look at the iCAST Framework, governed by the Hong Kong Monetary Authority (HKMA).
Hong Kong’s approach – iCAST
The Hong Kong Monetary Authority (HKMA) has approached regulation through their Cyber Fortification Initiative, which has developed a Cyber Risk Assessment Framework (C-RAF) that includes elements of a maturity assessment and drives the scope of Authorising Institutions (AI) subject to Intelligence Led Cyber Attack Simulation Testing (iCAST) phases. The Cyber Fortification Initiative has three pillars as follows:
- Cyber Resilience Assessment Framework (C-RAF) This then has 3 core building blocks:
- Inherent Risk Assessment – Allowing AI to be classed as Low, Medium, High
- Maturity Assessment – AI determining whether the actual level of cyber resilience is commensurate with its inherent risk.
- Intelligence Led Cyber Attack Simulation Testing (iCAST) - Aimed at organisations that have inherent risk of medium or high.
- Professional Development Programme (PDP) PDP acknowledges that certification is required but this relies on the support of the CREST programmes that have been developed for CBEST.
- The Cyber Security Information Sharing Partnership (CiSP) A sharing platform has been created for member entities to share intelligence and live information within the sector.
iCAST regulatory framework objectives
The CBEST framework set out to achieve the objective of increasing the UK Financial Sector’s resilience to cyber-attack, but also support the following:
- Access to advanced and detailed cyber threat intelligence;
- Testing of live systems;
- Access to knowledgeable, skilled and competent cyber threat intelligence analysts, who have a detailed understanding of the financial services sector;
- Realistic penetration tests that replicate sophisticated, current attacks based on current and targeted cyber threat intelligence;
- Access to highly qualified penetration testers that understand how to conduct technically difficult testing activities, whilst ensuring that no damage or risk is caused;
- Confidence in the methodologies utilised by the companies within CBEST for conducting these sophisticated and sensitive tests;
- Confidence that the results and the information accessed by the testers will be protected;
- Standard key performance indicators that can be used to assess the maturity of the organisation’s ability to detect and respond to cyber-attacks;
- Access to benchmark information, through the key performance indicators, that can be utilised to assess other parts of the financial services industry;
- A framework that is underpinned by comprehensive, enforceable and meaningful codes of conduct administered by a specialist professional body.
The three phases of iCAST testing
A very linear process model is defined within the C-RAF framework, with each phase completing before the next one can start. The three stages of C-RAF are shown below:
- Inherent risk assessment;
- Maturity assessment (twenty-five components within seven domains);
- Intelligence-led cyber-attack simulation testing (iCAST). a. Scoping, developing threat intelligence analysis, developing testing scenarios, testing and reporting.
There is no indication of envisaged timescales for the overall process. The overall process is shown in figure 5.
How does iCAST compare to CBEST and TIBER?
The table below provides an overview of the main characteristics of the four frameworks driven by regulators (CBEST, TIBER-EU, and iCAST) and the Red Teaming approach put forward by ABS in Singapore. For the purpose of this post, we are focusing on iCAST in relation to the other frameworks.
What is the current status of the iCAST Framework?
Current Status: Initial (Recently released) – Large focus on simulated testing (red teaming).
- Large focus on red team testing;
- Optional elements around threat intelligence with viewpoints being provided from within the organisation, if chosen;
- Well defined red team process and gives some elements of technical methodology, but is almost too prescriptive in places;
- Defined reports structures (x8) set out that probably need to be reviewed once the scheme is used;
- AASE is designed to be a set of guidelines to be referred to when conducting red team exercises, rather than a regulators framework to be followed.
How can Nettitude help?
Since iCAST was first introduced several years ago, Nettitude has been engaging with global banks that are trying to protect their most important systems. Whether it’s delivering CBEST, GBEST, iCAST or AASE, Nettitude’s team are well placed to help organisations to deliver an end-to-end engagement, including Threat Intelligence and Red Teaming combined.
These services have been delivered using Nettitude’s in house tooling, as well a combination of open source tools to ensure that companies understand how best to protect themselves. Delivering a scenario-based engagement isn’t just about finding a way into an organisation, it’s also about helping companies to get better at defending themselves over a longer period of time, in case they ever experience a real-life attack.
For more information on approaching iCAST, get in touch with your local Nettitude team.
Previously In the blog Series:
Next up in the blog series
Edition No.4 - A comparison of global regulatory frameworks – AASE
Edition No.5 - A comparison of global regulatory frameworks – a roundup of CBEST, TIBER-EU, iCAST and AASE.