Cybersecurity Statement of Guidance for Regulated Entities
Weekly insights from CIMA’s Cybersecurity Guidance
Insight #4 | Section 7: Cybersecurity Risk Management
Regulated entity’s cybersecurity risk management strategy is required to include measures to ensure Confidentiality, Integrity and, Availability (known as ‘CIA triad’) of their data and systems.
The following key requirements should be considered:
Risk Identification
- Define and implement an information classification scheme;
- Maintain an up-to-date inventory of all assets (e.g., servers, workstations, network devices, etc.); and
- Maintain a risk register showing cybersecurity threats, risks, vulnerabilities, impact, probability and applicable controls.
Risk Assessment and Protection
- Establish and conduct a comprehensive cybersecurity risk assessment annually;
- Assess cyber threats to the operations resulting from internally managed functions / outsourced arrangements / IT service providers;
- Consider cyber insurance against the cybersecurity risks;
- Implement protection mechanisms based on the risk and criticality of the information system; and
- Develop and implement appropriate mechanisms to ensure the availability of critical products/services and the ability to prevent, mitigate, or contain the impact of a potential cybersecurity event.
