REGISTER

January 9, 2012 - A wide variety of cybersecurity guidance is available from national and international organizations for entities within the seven critical infrastructure sectors GAO reviewed--banking and finance; communications; energy; health care and public health; information technology; nuclear reactors, material, and waste; and water. Much of this guidance is tailored to business needs of entities or provides methods to address unique risks or operations. In addition, entities operating in regulated environments are subject to mandatory standards to meet their regulatory requirements; entities operating outside of a regulatory environment may voluntarily adopt standards and guidance. While private sector coordinating council representatives confirmed lists of cybersecurity guidance that they stated were used within their respective sectors, the representatives emphasized that the lists were not comprehensive and that additional standards and guidance are likely used.

Implementation of cybersecurity guidance can occur through a variety of mechanisms, including enforcement of regulations and voluntarily in response to business incentives; however, sector-specific agencies could take additional steps to promote the most applicable and effective guidance throughout the sectors. A number of subsectors within the sectors included in GAO's review, such as electricity in the energy sector, are required to meet mandatory cybersecurity standards established by regulation under federal law or face enforcement mechanisms, such as civil monetary penalties. By contrast, entities not subject to regulation may voluntarily implement cybersecurity guidance to, among other things, reduce risk, protect intellectual property, and meet customer expectations. Federal policy establishes the dissemination and promotion of cybersecurity-related standards and guidance as a goal to enhancing the security of our nation's cyber-reliant critical infrastructure. DHS and the other lead agencies for the sectors selected for review have disseminated and promoted cybersecurity guidance among and within sectors. However, DHS and the other sector-specific agencies have not identified the key cybersecurity guidance applicable to or widely used in each of their respective critical infrastructure sectors. In addition, most of the sector-specific critical infrastructure protection plans for the sectors reviewed do not identify key guidance and standards for cybersecurity because doing so was not specifically suggested by DHS guidance. Given the plethora of guidance available, individual entities within the sectors may be challenged in identifying the guidance that is most applicable and effective in improving their security posture. Improved knowledge of the guidance that is available could help both federal and private sector decision makers better coordinate their efforts to protect critical cyber-reliant assets.

Sector cybersecurity guidance that GAO compared in three subsectors within the banking and finance, energy, and nuclear sectors is substantially similar to guidance applicable to federal agencies. Specifically, one set of guidance for each subsector, along with supplementary documents, addressed most risk management steps and most recommended security controls that are specified for federal information systems in guidance from the Commerce Department's National Institute of Standards and Technology. GAO is recommending that the Department of Homeland Security (DHS), in collaboration with public and private sector partners, determine whether it is appropriate to have cybersecurity guidance listed in sector plans. DHS concurred with GAO's recommendation.

Why GAO Did This Study

Critical infrastructures are systems and assets critical to the nation's security, economy, and public health and safety, most of which are owned by the private sector. These assets rely on networked computers and systems, thus making them susceptible to cyber-based risks. Managing such risk involves the use of cybersecurity guidance that promotes or requires actions to enhance the confidentiality, integrity, and availability of computer systems. For seven critical infrastructure sectors, GAO was asked to identify (1) cybersecurity guidance for entities within the sectors, (2) the extent to which implementation of this guidance is enforced and promoted, and (3) areas of commonalities and differences between sector cybersecurity guidance and guidance applicable to federal agencies. To do this, GAO collected and analyzed information from responsible private sector coordinating councils; federal agencies, including sector-specific agencies that are responsible for coordinating critical infrastructure protection efforts; and standards-making bodies. In addition, GAO compared a set of guidance in each of three subsectors with guidance applicable to federal agencies.

What GAO Recommends

GAO is recommending that the Department of Homeland Security (DHS), in collaboration with public and private sector partners, determine whether it is appropriate to have cybersecurity guidance listed in sector plans. DHS concurred with GAO’s recommendation.

For more information, contact Gregory C. Wilshusen at (202) 512-6244 or This email address is being protected from spambots. You need JavaScript enabled to view it..

January 5, 2012 - The Securities and Exchange Commission has charged an investment adviser with trying to sell $500 billion-worth of fictitious securities on LinkedIn and other social networking sites.The watchdog claims that Illinois-based Anthony Fields used LinkedIn discussions to promote fictitious "bank guarantees" and "medium-term notes", managing to entice several potential buyers into expressing interest.

The SEC's order says he also provided "false and misleading information" concerning Anthony Fields & Associates's assets under management, clients, and operational history to the public through its Web site and in SEC filings.

Robert Kaplan, co-chief, enforcement division's asset management unit, SEC, says: "Fraudsters are quick to adapt to new technologies to exploit them for unlawful purposes. Social media is no exception, and today's enforcement action reflects our determination to pursue fraudulent activity on new and evolving platforms."

The action against Fields is part of a move by the SEC to step up oversight of how the investment industry uses social media, with the regulator taking the opportunity to publish alerts on the issue to investors and advisory firms.

The notice to advisers warns that firms need to consider how to implement new compliance programs or revisit existing ones in the face of rapidly changing technology.

An investor alert offers tips on how to be better aware of fraudulent schemes that use social media, and provides advice on checking the backgrounds of advisers and brokers. Meanwhile, an investor bulletin gives best practice guidance on things like privacy settings, security tips, and password selection aimed to help social media users protect their personal information and avoid fraud.

"More and more, investors are using social media to help them with investment decisions. While social media can provide many benefits for investors, it also makes an attractive target for fraudsters. The Investor Alert provides some useful tips to help investors look out for securities fraud online," says Lori Schock, director, Office of Investor Education and Advocacy.

The SEC's action comes as the US Financial Industry Regulatory Authority (Finra) backs away from proposals that would have required broker dealers to monitor and report all social media postings by representatives and affiliates. In an amendment to its package of social media compliance demands filed with the SEC late last month, Finra stated that it would exclude messages on online interactive forums from a post-use filing requirement. The self-regulatory body said that the change was instituted in response to member concerns over the scale of the data management challenge imposed by the proposed rule.

December 20, 2011 - The Federal Reserve Board on Tuesday proposed steps to strengthen regulation and supervision of large bank holding companies and systemically important nonbank financial firms. The proposal, which includes a wide range of measures addressing issues such as capital, liquidity, credit exposure, stress testing, risk management, and early remediation requirements, is mandated by the Dodd-Frank Wall Street Reform and Consumer Protection Act.

December 20, 2011 - The Federal Reserve Board on Tuesday proposed steps to strengthen regulation and supervision of large bank holding companies and systemically important nonbank financial firms. The proposal, which includes a wide range of measures addressing issues such as capital, liquidity, credit exposure, stress testing, risk management, and early remediation requirements, is mandated by the Dodd-Frank Wall Street Reform and Consumer Protection Act.

December 19, 2011 - Citi has been ordered to overhaul its risk management systems by Japan's Financial Services Agency, which has sanctioned the US bank for the way it has tried to sell investment products to retail customers.

December 16, 2011 - Over 80% of US banks and credit unions plan to invest in new technologies to help them conform to new FFIEC online banking security guidance, according to a survey from vendor Guardian Analytics.

December 16, 2011 - Over 80% of US banks and credit unions plan to invest in new technologies to help them conform to new FFIEC online banking security guidance, according to a survey from vendor Guardian Analytics.

December 15, 2011 - Regulatory bodies are not acting with enough intelligence to resolve the ongoing issues in the global financial system.

Log in

Please Login to download this file

Username *
Password *
Remember Me

Create an account

Fields marked with an asterisk (*) are required.
Name *
Username *
Password *
Verify password *
Email *
Verify email *
Captcha *

MetricStream TPRM

Banner

CyberBanner

CyberBanner

CyberBanner

CyberBanner

CyberBanner

CyberBanner

CyberBanner

CyberBanner

CyberBanner

Go to top