G-7 Guidelines for Cybersecurity Assessment

On October 13, 2017, the Group of Seven countries, including Canada, the United Kingdom and the United States (the “G-7”), issued a report titled G-7 Fundamental Elements for Effective Assessment of Cybersecurity in the Financial Sector (the “G7FEA”) to provide guidance for effective cybersecurity assessments by financial sector organizations. The G7FEA supplements the G-7’s 2016 report titled G7 Fundamental Elements of Cybersecurity for the Financial Sector (the “G7FEC”). The guidance is useful for organizations of all kinds and sizes.

G-7 Fundamental Elements of Cybersecurity

The G7FEC describe the following basic building blocks for the design and implementation of a cybersecurity strategy and operating framework for financial sector organizations: (1) strategy and framework; (2) governance; (3) risk and control assessment; (4) monitoring; (5) response; (6) recovery; (7) information sharing; and (8) continuous learning. For more information, see BLG bulletin Cyber Risk Management – G7 Cybersecurity Guidelines for the Financial Sector.

G-7 Fundamental Elements for Effective Assessment

The G7FEA is designed to promote the cybersecurity practices outlined in the G7FEC by specifying desirable cybersecurity outcomes and components of effective cybersecurity assessments.

The desirable outcomes are the following broad, demonstrable characteristics of a mature cybersecurity program: (1) the Fundamental Elements are in place; (2) cybersecurity influences organizational decision-making; (3) there is an understanding that disruption will occur; (4) an adaptive cybersecurity approach is adopted; and (5) there is a culture that drives secure behaviors.

The assessment components are designed to promote the quality of cybersecurity assessments and facilitate continuous improvement. The components are as follows: (1) establish clear assessment objectives; (2) set and communicate methodology and expectations; (3) maintain a diverse toolkit and process for tool selection; (4) report clear findings and concrete remedial actions; and (5) ensure assessments are reliable and fair.

To read our bulletin on this topic, click here.

This content has been updated on October 27, 2017 at 17 h 31 min.