Cyber risk management – resilience of information technology systems
According to a recent IBM Cost of Data Breach report, the Middle East ranked second for the region with the highest average cost of data breaches in 2023 at just over $8 million.
The financial services industry is one of the most targeted industries by cyber criminals and, as a result, avoiding such cyber attacks has been a top priority for firms for a number of years. Regulators from around the world have now increased efforts to manage this risk by implementing rules and regulations.
As of 1 January 2024, the Dubai Financial Services Authority (“DFSA”) formulated new cyber risk management rules and guidance. All Authorised Firms (“AF”, or “firms”) under the Dubai International Financial Centre (“DIFC”) are now required to implement an appropriate framework to identify and mitigate cyber risks and to detect, respond to, and recover from cyber incidents.
One of the focus areas under the new rules is in relation to the assessment and testing of the resilience of firms’ Information Technology (“IT”) systems, networks, processes and controls implemented to satisfy all the cyber risk management rules.
The DFSA requires the testing of internet facing systems to be carried out regularly, at least annually. The DFSA also requires firms to ensure there is a process in place to prioritise and remedy any adverse findings resulting from such testing.
This article will examine one of the most well-known ways to implement this requirement; Vulnerability Assessment & Penetration Testing (“VAPT”).
VAPT provides an inclusive security evaluation, that includes both the identification of vulnerabilities and an understanding of their exploitability and impact. This enables firms to have a thorough assessment of the security posture and helps them effectively manage and mitigate risks, in addition to satisfying any DFSA regulatory requirements.
VAPT covers all IT internal and external components such as firewalls, routers, switches, servers, and security management systems.
High level phases for VAPT typically include:
- Preliminary planning and strategic design – where the cyber security consultant works with the firm to develop a comprehensive testing strategy that reflects the firm’s needs, concerns, and security objectives. The understanding of the environment and business enables a consultant to create a plan that targets key areas of concern and provides a roadmap for the assessment and testing process. This involves identifying all necessary testing details such as target URLs and IPs, securing application credentials, and arranging testing window agreements. This phase may also set further activities such as team mobilisation, the agreement of ongoing communication protocols, and defining roles and responsibilities, along with management reporting and incident handling.
- Scheduling and coordination – where effective coordination is crucial for minimising disruptions to a firm’s business while ensuring thorough testing coverage. Suitable times are scheduled whilst ensuring that all necessary stakeholders are informed and prepared.
- Threat surface evaluation and testing – where cyber security consultants apply tools and techniques to simulate a diverse array of potential attacks on firms’ systems, identifying vulnerabilities and assessing the landscape. Testing could incorporate both automated and manual methods. Tests should be rigorous, thorough and adhere to recognised industry standards such as OWASP, NIST, and ISSAF. Specific approaches are employed for different types of tests, ensuring a comprehensive evaluation of firms’ systems.
- Reporting and remediation – where all findings, including an analysis of uncovered vulnerabilities, potential business impacts, and proposed remediation measures are reported.
How can Waystone help?
Waystone is dedicated to providing its clients with the highest quality of information security and data protection advisory and support services and is certified to both the ISO/IEC 27001:2013 standard for its own Information Security Management System and to the ISO/IEC 27701:2019 Privacy Information Management System extension for its data protection scheme.
In addition to the VAPT capabilities, Waystone offers further IT system resilience testing such as scenario-based testing, social engineering, phishing assessments, Microsoft Office 365 risk assessment and threat assessments/research.
Waystone also offers several bespoke, cyber security services, including:
- policy review and development
- cyber awareness training for leadership teams and staff
- incident response planning and cyber crisis support
- cyber security governance and resilience assessments
- cyber security hygiene assessments
- Chief Information Security Officer (CISO) as a service
- NESA compliance assessments.
If you would like to find out more about how to mitigate your cyber security risk, please reach out to your usual Waystone representative, or contact us below.