Like other cybersecurity frameworks, the CRI framework has a defined structure. The structure ensures consistent applicability of the framework, makes the framework easy to use and understand for different types of financial entities, and the structure helps with reporting and mitigation focus.
The CRI Framework module, within X-Analytics, maintains the CRI framework structure.
What is the CRI Framework?
The Cyber Risk Institute (CRI) Framework, also known as the Financial Services Cybersecurity Profile, is a comprehensive framework developed to help financial institutions manage and mitigate cyber risks. It was created in collaboration with the financial services industry, regulatory agencies, and other stakeholders to provide a standardized approach to cybersecurity, tailored specifically to the needs of the financial sector.
For more information, please visit here.
How is the CRI Framework Structured?
The Cyber Risk Institute (CRI) Framework is structured into Functions, Categories, Sub-Categories, and Diagnostic Statements. Most of the CRI framework structure aligns with NIST CSF 2.0. Please see CRI Framework diagram below:
Impact Tiers.
In the above diagram, on the upper right hand side, you will notice Impact Tiers.
The CRI Framework (or CRI Profile) segments the financial services sector into four tiers of criticality. Each tier corresponds with the impact that an organization would have on the global, national, sector, or local market if substantially impacted by a cybersecurity event.
CRI recommends that all entities complete the Impact Tiering Questionnaire, consisting of 9 questions, to determine
an organization’s “Impact Tier”:
Tier 1: National/Super-National Impact – These institutions are designated most critical by one or
more global regulatory agencies and/or bodies (e.g., the Basel Committee’s Global Systemically
Important Bank (GSIB) designation or Executive Order 13636’s Section 9 designation). This category
assumes the gross cyber risk exposure of an institution or service categorized as Tier 1 would have the
most potential adverse impact to the overall stability of a national economy, and potentially, the global
market.
Tier 2: Subnational Impact – These institutions provide mission critical services with millions of
customer accounts. This category assumes the gross cyber risk exposure of an institution or service
would have the potential for a substantial adverse impact to the financial services sector and
subnational regional economy but does not rise to the level of Tier 1.
Tier 3: Sector Impact – These institutions have a high degree of interconnectedness, with certain
institutions acting as key nodes within, and for, the sector. The nature of the services that these
institutions provide to the sector plays a significant role in determining their criticality.
Tier 4: Localized Impact – These institutions have a limited impact on the overall financial services
sector and national economy. Typical characteristics include: (a) institutions with a local presence and
less than 1 million customers (e.g., community banks, state banks) and (b) providers of low criticality
services.
You can find the Impact Tiering Questionnaire here.
Impact Tier to Function, Category, Sub-Category, and Diagnostic Statement Alignment
The Profile includes seven overarching Functions for assessing an organization’s cyber risk management
program: 1) Governance, 2) Identify, 3) Detect, 4) Protect, 5) Respond, 6) Recover, and 7) Supply
Chain/Dependency Management. Each Function is subdivided into specific concept Categories and
Subcategories, which are designed to reflect an element of an effective cyber risk management program. Each
Subcategory is associated with at least one Diagnostic Statement to assess the organization’s cyber risk
management program. After completing the Impact Tiering Questionnaire, organizations respond to a certain
number of Diagnostic Statements corresponding to their Impact Tier.
Tier 1: National/Super-National Impact includes 318 Diagnostic Statements
Tier 2: Subnational Impact includes 311 Diagnostic Statements
Tier 3: Sector Impact includes 282 Diagnostic Statements
Tier 4: Localized Impact includes 208 Diagnostic Statements
Diagnostic Statement Response Key
Organizations note the outcome of their assessment by selecting between eight potential Diagnostic Statement
responses, with the default response is set to “To Be Assessed.” The potential Diagnostic Statement
responses include:
1) Yes: All of the control outcome(s) described in the Profile Diagnostic Statement are assessed
and/or tested on a regular basis and are demonstrated to have been designed and operating
reliably in the organizational environment.
2) No: The control outcome(s) described in the Profile Diagnostic Statement have not been
meaningfully improved.
3) Partial: A meaningful subset of the control outcome(s) described in the Profile Diagnostic
Statement are assessed and/or tested on a regular basis and are demonstrated to have been
designed and operating reliably in the organizational environment.
4) Not Applicable: The Profile Diagnostic Statement has been determined to be not applicable to the
assessment and will not be counted towards any intermediate or total result.
5) Yes-Risk Based: The control outcome(s) described in the Profile Diagnostic Statement are
assessed and/or tested on a regular basis and are demonstrated to have been designed and
operating reliably for the highest-risk assets, or highest-risk control functions, in organizational
environment.
6) Yes-Compensating Control: An institution might select this response if it meets the intent of the
Diagnostic Statement by using compensating controls.
7) Not Tested: An institution might select this response if it has yet to test controls associated with the
Diagnostic Statement.
8) I don’t know: An individual assessment user might select this response as a placeholder/note to
check with other relevant stakeholders within the institution to determine the most accurate
response.
If you need more detail, please visit here.
How Do I Use the CRI Framework Module Within X-Analytics?
Using the CRI Framework module, within X-Analytics, is very easy. You just need to ask your Customer Success Team Member to enable the CRI framework.
After the CRI Framework has been enable for your account, then you will see it within your admin panel.
At this stage, you just need to turn the framework on.
Within the X-Analytics Profile Builder, Add Your CRI Framework Responses.
Within the X-Analytics Profile Builder, select the CRI Security Controls and answer all the diagnostic statements within each CRI Function and Category.
You will notice that the response key matches the CRI framework structure.
Special Note: If a diagnostic statement is not applicable for your Impact Tier, then select 4 - Not Applicable.
At any time, you have the option to select Save and Submit. After selecting Save and Submit, you will notice how each set of CRI responses updates your Current Cyber Exposure.
Once you are done entering all of your CRI responses, then please move to the X-Analytics Report Center.
Within X-Analytics, Viewing Your CRI Profile.
Within the X-Analytic Report Center, under to the Analysis Center, select Control Framework Dashboards, and then select CRI 2.0.
The X-Analytics CRI Dashboard provides your current cyber exposure (as related to your unique profile and CRI implementation), your CRI 2.0 total alignment, your CRI 2.0 alignment by function and category, and your remaining opportunity per CRI function and category considering a perfect implementation.
Special Note: The opportunity value can help you prioritize your mitigation actions and design an optimal cyber risk management plan.
Next Steps
Work with your X-Analytics Customer Success Team to best leverage X-Analytics for your CRI use case and to optimize your cyber risk management plan.
Commentaires