Page 157 - Kaleidoscope Academic Conference Proceedings 2021
P. 157
Connecting physical and virtual worlds
management and budgeting; and Internal/external audit frameworks observed in reverse. This capability clearly
and compliance. The last and most critical group illustrates control coverage gaps between the two
involves the digital systems and value creation frameworks.
processes. Relations with this group with others in With the ability to navigate and visualize any aspect of one’s
security are often contentious. The result is often a state of security to increasing levels of precision, one can
poorly defined target understanding, the one element focus on analysis and design and not searching and
that unifies everyone. These specialization silos do not converting form to consume.
communicate well and do not coordinate
interdependencies well. The result of this friction is the
very weak interoperability and correlation confidence
between threats-to-targets, a clear understanding of the
resulting risk from likelihood and impact assessments,
and the fiduciary requirement to reduce residual risk to
acceptable levels.
2. IMMEDIATE CAPABILITY ENHANCEMENT
The technology provides the immediate ability for an expert
or a novice practitioner to ingest “any and all” existing and
future frameworks and their mappings from the body of
knowledge, consume and adapt these frameworks and
mappings for their own purposes.
Figure 4 illustrates the NIST CSF 1.1 mapping of an external Figure 5 – FSSCC-to-NIST CSF in technology
control (Orange Pentagon) to FSSCC framework objectives
as internal controls (Blue Circle) in the technology platform. The author has been engaged with the World Economic
Objectives and their mappings to other frameworks are Forum (“WEF”) Center for Cybersecurity and its publication
clearly visible. entitled “Systems Cyber Resilience: Secure and Trusted
FinTech.” [1] as indicated by their citation in Contributors
on page 33.
“With thanks to: Ghiyazuddin Mohammad, Alliance for
Financial Inclusion (Malaysia); Jacques Francoeur, ITU-T
Study Group 17: Security; The Monetary Authority of
Singapore; Troy Leach, CTO Payment Card Industry
Security Standards Council; Curtis Dukes and Phyllis Lee,
Center for Internet Security; Josh Magri and Alan Carroll,
Cyber Risk Institute.”
“Consortium members asked, how can less mature
FinTech companies connect with very mature
organizations while maintaining a level of cybersecurity
Figure 4 – FSSCC-to-NIST CSF in technology risk that is understood by all parties, accepted and
manageable?”
The benefits of the frictionless freedom to see and travel “The Consortium’s recommendations support the scaling
through both the existing public body of knowledge and an and adoption of frameworks that provide clear and
organization’s customized state-of-security posture, actionable cybersecurity guidelines to FinTechs to
provides the freedom to customize. The capability to select enhance the security of the wider financial services supply
and “see” or visualize any reference anchor framework, and chain.”
immediately see the objectives at all de-compositional levels
and their provided maps to other frameworks is a game Several of the reports key challenge conclusions and
changer. Change the reference framework on demand, and recommendations can be addressed by the technology. It is
see a new world defined by the new anchor framework but important to understand that the technology is knowledge
involving the same maps. The capability to “travel” or and framework agnostic, being able to process any
navigate like an MRI, to any “area of concern,” and travel framework. This even includes privacy controls.
down for higher precision levels to find context specific The following section will describe the model and
knowledge allows an effortlessly focus on analysis and not foundation of the technology platform.
information searching and manipulation.
Figure 5 illustrates the higher ability in “bi-view” to create 3. SECURITY VULNERABILITY EXPRESSIONS
two parallel but independent views to compare two anchor
frameworks and their maps. On the left in blue using the Security vulnerability expressions (“Vulnerability
FSSCC framework as the reference anchor with CSF 1.1 Expressions”) capture the natural one-to-one relationships
Maps. On the right in orange comparing the same two (mappings) between threats-to-value asset vulnerabilities,
– 95 –