Capability Effectiveness Testing for Architectural Resiliency in Financial Systems

摘要

Increasing interconnectivity in financial institutions and markets along with complex, interdependent architectures present unique enterprise risks. While technological advances continuously improve the reliability and trustworthiness of individual technological system components, the complex, collaborative architectures relied on by most financial organizations present substantial challenges that span technology, personnel, and process dimensions. As systems and threat environments grow in sophistication, approaches to security testing and evaluation must evolve as well. Traditional approaches to cyber security testing may still be useful to evaluate basic architectural components, however new techniques are needed to enable the enterprise to construct simulation exercises that model real-world threat conditions and test the resiliency of all architectural components, including personnel and process dimensions. Organizations must not only establish capabilities to recognize breach attempts, but take decisive response action under conditions of uncertainty and stress. Techniques to evaluate resilient enterprise architectures sometimes underemphasize the threats surrounding human dimensions. This paper examines emerging risk considerations presented by increased connectivity among financial services enterprises. It explores new requirements for testing and evaluation of enterprise resiliency as well as organizational detection and response capabilities. The paper considers industry and other external environmental factors driving the need to develop comprehensive evaluation approaches to evaluate the effectiveness of enterprise capabilities in order to embed capability effectiveness assessments within enterprise risk management practices. Limitations of current cyber testing approaches in simulating the emerging cyber threat environment are identified, and the value of realistic, time-bound drills and tests that mimic the stress of real-world cyber events are explored.