Dictionary · CPMI-IOSCO Guidance on Cyber Resilience for Financial Market Infrastructures

To restore any capabilities or services that have been impaired due to a cyber event.

To recommence functions following a cyber incident. An FMI should resume critical services as soon as it is safe and practicable to do so without causing unnecessary risk to the wider sector or further detriment to financial stability.

Of an FMI, to develop and implement appropriate activities to be able to take action when it detects a cyber event.

A weakness, susceptibility or flaw in a system that an attacker can access and exploit to compromise system security. Vulnerability arises from the confluence of three elements: the presence of a susceptibility or flaw in a system; an attacker’s access to that flaw; and an attacker’s capability to exploit the flaw.

The sum of an information system’s characteristics in the broad categories (software, hardware, network, processes and human) which allows an attacker to probe, enter, attack or maintain a presence in the system and potentially cause damage to an FMI. A smaller attack surface means that the FMI is less exploitable and an attack less likely.

The property of being accessible and usable as expected upon demand.

Any activity, function, process, or service, the loss of which, for even a short period of time, would materially affect the continued operation of an FMI, its participants, the market it serves, and/or the broader financial system.

A collection of linked activities that takes one or more kinds of input and creates an output that is of value to an FMI’s stakeholders. A business process may comprise several assets, including information, ICT resources, personnel, logistics and organisational structure, which contribute either directly or indirectly to the added value of the service.

An FMI’s high level principles and medium term plans to achieve its objective of managing cyber risks.

The use of an exploit by an adversary to take advantage of a weakness(es) with the intent of achieving an adverse effect on the ICT environment.

A mechanism to have cyber resilience controls, methods and processes assessed according to management best practice, against a clear set of external benchmarks.

The combination of the probability of an event occurring within the realm of an organisation’s information assets, computer and communication resources and the consequences of that event for an organisation.

A circumstance or event with the potential to intentionally or unintentionally exploit one or more vulnerabilities in an FMI’s systems, resulting in a loss of confidentiality, integrity or availability.

The process used by an FMI to establish an enterprise-wide framework to manage the likelihood of a cyber attack and develop strategies to mitigate, respond to, learn from and coordinate its response to the impact of a cyber attack. The management of an FMI’s cyber risk should support the business processes and be integrated in the FMI’s overall risk management framework.

An FMI’s ability to anticipate, withstand, contain and rapidly recover from a cyber attack.

The propensity to incur cyber risk, being the level of cyber risk that an FMI intends to assume in pursuing its strategic objectives.

Refers to the interconnected information infrastructure of interactions among persons, processes, data, and information and communications technologies, along with the environment and conditions that influence those interactions.

Arrangements an organisation puts in place to establish, implement and review its approach to managing cyber risks.

An observable occurrence in an information system or network.

The cyber risk actually assumed, measured at a given point in time.

Consists of the policies, procedures and controls an FMI has established to identify, protect, detect, respond to and recover from the plausible sources of cyber risks it faces.

Information that provides relevant and sufficient understanding for mitigating the impact of a potentially harmful event (may also be referred to as “cyber threat information”).

The security controls deployed throughout the various layers of the network to provide for resiliency in the event of the failure or the exploitation of a vulnerability of another control (may also be referred to as “layered protection”).

Development and implementation of the appropriate activities in order to identify the occurrence of a cyber event.

A disruption is an event affecting an organisation’s ability to perform its critical operations.

A system or group of interconnected elements, formed linkages and dependencies. For an FMI, this may include participants, linked FMIs, service providers, vendors and vendor products.

A multilateral system among participating institutions, including the operator of the system, used for the purposes of clearing, settling or recording payments, securities, derivatives or other financial transactions.

The ability of an FMI to maximise the use of digital evidence to identify the nature of a cyber attack.

The application of investigative and analytical techniques to gather and preserve evidence from a digital device impacted by a cyber attack.

Information and communications technologies. ICT can also be read as IT (information technology) in this document.

To develop the organisational understanding required to manage cyber risk to systems, assets, data and capabilities.

An occurrence or sign which reveals that an incident may have occurred or be in progress.

Any piece of data, device or other component of the environment that supports information-related activities. In the context of this report, information assets include data, hardware and software.25 Information assets are not limited to those that are owned by the entity. They also include those that are rented or leased, and those that are used by service providers to deliver their services.

With reference to information, an information system or a component of a system, the property of not having been modified or destroyed in an unauthorised manner.26

As relying on any single defence against a cyber threat may be inadequate, an FMI can use a series of different defences to cover the gaps in and reinforce other protective measures. For example, the use of firewalls, intrusion detection systems, malware scanners, integrity auditing procedures and local storage encryption tools can serve to protect information assets in a complementary and mutually reinforcing manner. May also be referred to as “defence in depth”.

Standards, guidelines and practices which reflect industry best approaches to managing cyber threats, and which incorporate what are generally regarded as the most effective cyber resilience solutions.

Malicious software used to disrupt the normal operation of an information system in a manner that adversely impacts its confidentiality, availability or integrity.

The ability of an FMI to: (i) maintain essential operational capabilities under adverse conditions or stress, even if in a degraded or debilitated state; and (ii) recover to effective operational capability in a time frame consistent with the provision of critical economic services.

Development and implementation of appropriate safeguards, controls and measures to enable reliable delivery of critical infrastructure services.

An independent group that challenges the cyber resilience of an organisation to test its defences and improve its effectiveness. A red team views the cyber resilience of an FMI from an adversary’s perspective.

The ability to identify, process and comprehend the critical elements of information through a cyber threat intelligence process that provides a level of understanding that is relevant to act upon to mitigate the impact of a potentially harmful event.

A circumstance or event that has or indicates the potential to exploit vulnerabilities and to adversely impact (create adverse consequences for) organisational operations, organisational assets (including information and information systems), individuals, other organisations or society in general.

Information that can be acted upon to address, prevent or mitigate a cyber threat. The sum of an information system’s characteristics in the broad categories (software, hardware, network, processes and human) which allows an attacker to probe, enter, attack or maintain a presence in the system and potentially cause damage to an FMI. A smaller attack surface means that the FMI is less exploitable and an attack less likely.

The embedding of security in technology and system development from the earliest stages of conceptualisation and design.

An approach whereby FMIs identify, assess and understand the risks to which they are exposed to and take measures commensurate with these risks.

The amount and type of risk that an organisation is willing to take in order to meet its strategic objectives (may also be referred to as “risk appetite”).

A function or service responsible for monitoring, detecting and isolating incidents.