CIMA Statement of Guidance and You: How to Navigate New Regulations

our next speaker is r.j sutler and he's a principal i.t security engineer a cyber security practitioner with more than eight years of hands-on experience and penetration testing of network infrastructure web applications and social engineering assessments recently he was moved from the red to the blue team to help organizations understand cyber risk navigate regulatory requirements and proactively identify threats within their infrastructure so i welcome to the stage r.j sudlow with sema statement of guidance and you how to navigate the new regulations perfect [Applause] what uh what a great introduction that normally sounds good at presentations that don't also include the likes of people from cisco and biohackers and whatnot so no i appreciate it uh thank you everybody for coming out a quick little word thank you for coming to support b-sides as well i know we've got a lot of good presenters here and it's good to see some faces and see some uh community here driven around cyber security and cayman um a little bit about me as it said i was a red teamer for the last eight years working at a public accounting firm in the u.s i cut my teeth by doing penetration tests on a weekly basis pretty much in every vertical and organization size you could think of as i grew up and started as a again pen start as the pen tester moved to the team lead and the manager uh obviously by osmosis i had to work with some of the other cyber compliance teams so i picked up some of the uh tools of the trade when it came to helping them identify what the results from our pen test were for assessing for stock reports or iso compliance and so on and so forth and so kind of got a unique blend of being in the purple team as well professionally i am a cyber practice lead for an msp here on islands came down to again to try and help elevate cyber security levels for not only our organization but also for the customers that we oversee um and then recently the one that i'm really proud of uh mostly just because there's a lot of other divers on the presentation panel uh i wanted to show off and flex a little bit i'm a recent dive master sometimes i can get some good decent underwater pictures like this little turtle that i saw uh over at eaton rock so for those of you that aren't divers sorry that's just my little shameless plug that i put out there so um what's on the agenda for today um we'll get into a little bit but sema's statement of guidance for cyber security uh really just touches on how regulated entities need to work and deal with cyber risk as an organization so we'll go over basically what it is what are some of the hard requirements what are some of the recommendations that they put in key takeaways and probably talk a little bit about what the statement of guidance future may look like a word for all of you and what's going to be in it for you unfortunately i am the one thing keeping you from getting more coffee you're not going to hurt my feelings if you need more coffee to stay awake during this presentation just because it may be a little dry and it's just because the statement of guidance i had there were some times i had to use specific excerpts to be able to put it in and put tied to some bullet points and for those of you that are visitors to the islands you may be able to find some little nuggets to be able to take away just to see where cayman is as our cyber security maturity levels and it may be able to help you kind of harken back if you're coming from a country or location that may be more regulated to be able to see where we are and probably where it's going to take us in the future i tried to also break down some of the examples that they put specifically in the statement of guidance and what the requirements are and just put them into common terms as i was doing this presentation and as i've spoken with different organizations and customers of mine on island um i kept coming back to how do i just make this kind of the spark notes of the statement of guidance right for organizations that are worried about cyber risk and haven't really had to deal with it beforehand what's kind of the quick bullet points you can give them again it also heavily references the statement of guidance as i was coming up with the spark notes i realized that i'm probably going to have to pdf this up send it to people so if you want a copy of this feel free to reach out to me afterwards i try to put references for whatever i'm saying as kind of the proof in the pudding as it ties to the statement of guidance and the associated rule um and hopefully this is going to help you should sema come knocking on your door as you have to start going through those regulations and you get the regulators coming in to do their examinations as a regulated entity so without further ado we're going to talk about what the sema statement of guidance is um so sema really is breaking it down into three different entities or three different items right the first one i tried to highlight as well was essentially it's just intended to provide guidance to regulated entities on cyber security as a whole right and it sets what sema the cayman islands monetary authorities minimum expectation is in relation to the management of cyber security risks it applies to all regulated entities i think the subsection is if you're working for a specific type of mutual fund on islands but i'm i was a business major that kind of funked uh all the finance terms so i'm not sure what the specific variations would be on what makes it regulated and what not based on the funds but i know there is that little subsection in there so the statement of guidance as a whole in case you haven't read it or you just want the tl dr because it's too long or you didn't read it is it essentially requires all regulated entities to care about cyber threats it puts the impetus from whatever vendor product you may be using on you as the regulated entity to make sure you're doing all the right things to protect your fund and also all of the data that you have again it applies to all of the different regulated entities on island and it ties in really nicely into the cayman data protection act i think that realistically what we're going to see is these two work synonymously really helping organizations on islands have to be able to take care of cyber security risk and then also it's probably going to spill out and then start appealing and start applying to organizations that are not regulated entities one thing that's worth noting is in sema rule 5.4 item a they do call out that any regulated entity that has an outsourcing agreement or has to use a third-party vendor they need to make sure that that vendor that they're choosing also adheres to all these different guidelines so if you're an outs if you're a service provider a third-party assessor even though you're not going to get your door knocked on by sema your customers do basically have the right to be able to say hey for vendor due diligence we're going to go somewhere else just because it's our skin in the game we don't really want to be held liable because you're not doing what you're supposed to so what are really the hard requirements and we could probably go over this and leave these bullet points here and then just call it a day everybody gets coffee earlier but what i wanted to do was highlight again the really pertinent parts for the requirements there's really just three specific ones uh item a in 5.1 basically says an organization a regulated entity must establish implement and maintain a documented cybersecurity framework we'll get into what that is a little bit later uh here's where it's a little bit more reading but basically that framework and all of the other risk management strategies need to be well documented you have to make sure you have i.t security policies and procedures you need to make sure that you're showing managerial responsibilities and controls and then also there needs to be a process that again is clearly documented and effective for responding to containing recovering from cyber attacks breaches and incidents the last one item c essentially says that it needs to go through a regular review to constantly look at new and emerging threats with cyber security for the threat in it landscape again very standard things but when it's written in the statement of guidance and the associated rule can kind of get lost in translation a little bit so i also gave another tldr for anybody that didn't read it or didn't want to go through it three main things come up with a cyber security framework make sure you've got documented procedures and controls and you're doing a cyclical review of emerging threats the nice part is we're going to go through what the requirements breakdowns are for a cyber security framework for those of you that may not be familiar with it or have implemented one before this can seem kind of like a little bit of a mountain decline right really all a cyber security framework is if you take all the scary words and verbage out of it it's just guidance based on existing standards and managing to reduce cyber security risk that's really all it is it's just a collection of different things that dictate how an organization can move forward uh based on your uh your entity and what type of risk you may have as an organization how you're going to handle that and what you're going to do to try and mitigate that moving forward for day-to-day operations there's a lot of different frameworks that exist and you want to make sure that you're choosing one that fits for your organization sema calls out specific ones like nist the cis iso so on and so forth but you want to make sure that when you're implementing the cyber security framework doing a little bit of research going online figuring out what makes sense for you if you're a regulated entity that's got three or four people you don't need to go for iso certification that's like trying to bring a nuclear warhead to kill a fly right but if you're a larger organization that has multiple locations came in as an office for it it may make sense that the parent company or the other location has a more frame more stringent framework that's implemented um the last thing you want to make sure that you're doing is that that cyber security framework is going to be deemed successful based on what types of baselines is to find the procedures of how again your organization is going to deal with that cyber risk it's really meant to come up with in that baseline kind of a gap analysis of where your organization is and how far away it may be from that set of standards you can start working with different type of cyber security maturity models if you want to uh cmmc was another one that came out in the u.s but essentially it's just trying to say that and this ties into what sema basically said earlier here's what the minimum baseline is in order to meet this threshold you've got to make sure that your cyber security framework is going to do these different subsections get it sorted for you the last thing it's going to really do is it's going to outline a strategy for security teams what is something that needs to happen now what needs to happen at the end of the quarter what needs to happen in the next year two three years it's really just trying to come up with a game plan to figure out what you need to do again to mitigate all that cyber security risk it's really simple it's not scary and it's pretty well close to being handholded when you do when you implement a cyber security framework what i tried to do was basically put into here again kind of a little a-plus about specific things you need to do with the statement of guidance again for what sema is calling out for you to have a successful implementation of a cyber security framework is to be clearly well documented in item 6.2 make sure it's built for your organization specific to those risk levels right what risk tolerance level you have what is it you're willing to say we're going to accept this risk we've mitigated it we're going to try and do risk transference based by a third party so on and so forth the last one is to make sure that you're doing cadence and improvement cadence reviews and improvement cycles 6.7 and 6.8 the nice part is any cyber security framework is also going to tie into the rest of the requirements and basically the rest of what statement of guidance is saying uh when you're implementing a cyber security framework it's going to go through all of those specific requirements in the statement of guidance you can't have a cyber security framework implemented if you don't have i.t policies and procedures um those again those it policies and procedures are going to help drive the organization wolfgang just talked about a great one for business continuity and disaster recovery dave spoke about some other ones as well about wider end user awareness training and how you need to be able to get people involved so again there's a lot of experts here online that kind of touched on it or excuse me experts on not only island but also for presenting uh that have touched on it and if you were paying attention taking notes would be able to be pretty easy to pick up on so uh the last thing that the cybersecurity framework is going to touch base on and make sure you got implemented are any of the technical controls that are tied to cyber risk essentially mapping out what is our risk what does our exposure look like in different type of threats what technical controls do we have in place not only human controls policies and procedures but making sure that you've got something handled in case an event came up so with that we're going to get into some of the technical and procedural controls um as wolfgang also just spoke earlier too about getting everything in from the top down i.t policies and procedures should drive everything at an organization i as a cyber security practitioner will say that if you're going to actually have to go forward with this as a regulated entity it makes sense to if you're going to implement policies and procedures have them actually do something have them be effective and meaningful don't just put something in there just because you've got a piece of paper that you're only going to pull out whenever an incident happens or if you have something you need to react to as an organization so don't check those boxes the other thing that organizations should keep in mind too especially for regulated ones here on iowans just because cayman is unique in the fact that a regulated entity may just be a three or four person shop it may also be a three or four person shop that's got a larger presence somewhere else in a different country don't there's no real way right way to be able to say what what policies you need right i can't just give you a tier list right of top four or five policies that everything should be done there's best practices and there's things that should be implemented for every organization but you want to make sure that it fits to you and the other thing to note too is nobody really cares and no examiner is going to come through and say your policy is only four pages long like it needs to be 400 pages long it needs to fit for your organization if your policies and procedures need to have that much content that it needs to get through and kind of basically say how your organization should react and how it has data flows then sure have it be 400 pages long but you want to make sure it fits it's concise and it's meant to be something that is actually read and digested for those in those key stakeholders in your organization the technical procedural controls also identify against cyber risk for your organization this is included in the cyber security framework if you're implementing something like a nist cyber security framework for instance it's going to go through and essentially map all of your different controls to cyber risk facing organization what are you doing for your backups what do you have in place of edr or male type of threats how are you measuring uh what identity protections you have cascading throughout your organization what are you doing as an overarching control uh to make sure that you've got remote workforce and workers being able to make sure that they're they're locked down when they're trying to access things internally again this is all mapped to a specific uh cybersecurity framework that you're going to have implemented and the last one that helps with this too on this slide is having third party attestation reports mostly because what it's going to do is it's going to validate that the implementation that you have is successful it's working and it's also going to help reduce bias you could say that if you wanted to in an afternoon you've implemented an entire cyber security framework and just given a check mark talked to the cio and said yep we're good we're golden does not matter but again that's just you saying that until it's actually been implemented and you have someone to check it you're bringing in a either an expert or somebody else who's gone through an implementation to be able to say we can validate that this has been done effectively and it's something that we think is going to be successful in helping protect the business uh when you get to some of the other implemented technical controls any good cyber security framework is going to call out in a vendor agnostic standpoint what type of controls need to be in place for what type of technical controls need to be in for a certain type of risk looking again looking at your firewalls your antivirus and your edr tools your event log management how are you doing protections for your mail network and identity these are all different things that are called out in any type of cyber security framework whether you're choosing nist or cobit or cis to make sure that you can see from a 50 000 foot view if this happens then this control is going to be in place to give us some sort of protections um the last thing that the statement of guidance calls out and i think this is going to be pretty evident from some of the other conf the other presentations that we have later today with biohacking and some of the other ones tomorrow is that end user awareness training is key and is paramount to all of the cyber security frameworks you could have a castle that's got walls that are 80 000 feet tall and 15 miles thick and you've got a moat with sharks that have lasers on their heads waiting to keep everybody out but if somebody lets them in through the back door all of that is for naught they've already got access to everything so what you want to make sure that you're doing and the statement of guidance calls us out specifically by calling out in the framework as well so you want to do periodic tests to make sure that those end user awareness labels are at a specific level you want to make sure when you're carrying out this test too any cyber security framework is going to call it as well this is not meant to discipline users it's meant to help figure out where are we how far do we need to go to get to the level of acceptance that we want to have to be able to meet the maturity model within our cyber security framework so coming to that second requirement uh about the technical and policy the technical and procedural controls um i want to take a little bit of time to cover some of what those policies would be that i would expect to see and what everybody every organization should have right your overarching i.t policy which basically just outlines how an organization and employees interact with data and different resources your security policy you know obviously defining what the protections and processes are in place for said resources if you're a smaller organization you can combine some of these you can make them match and mold as yo