[Virtual Presenter] We are excited to offer our customer training and onboarding for the Egypt Financial Cybersecurity Framework. This video will cover the updated framework and its implications for our clients in the financial sector. Our objective is to equip you with the essential information and resources to ensure that your organization's cybersecurity is current and in line with the mandated standards. Let's begin and explore the most recent updates in the December 2021 edition of the Egypt Financial Cybersecurity Framework..
[Audio] The Central Bank of Egypt has implemented the EGYPT FINANCIAL CYBERSECURITY FRAMEWORK in December 2021 to protect financial institutions and their customers. This comprehensive framework is continuously reviewed and updated to stay ahead of cyber threats in order to ensure the security and integrity of all financial transactions. Its main objective is to enhance customer confidence in the safety of their financial data and transactions, with the ultimate goal of maintaining stability and trust in the financial sector of Egypt. Through the EGYPT FINANCIAL CYBERSECURITY FRAMEWORK, the well-being of individuals and organizations, as well as the overall security of the Egyptian economy, will be safeguarded..
ldAD140 YNVfl 117641*.
[Audio] The document control section of the Egypt Financial Cybersecurity Framework was developed in December 2021. It is integral to the security of the country's financial sector and ensures the protection of its digital infrastructure. This section outlines the key roles and responsibilities within the framework, which is overseen by the Central Bank of Egypt's Cybersecurity Sector. The team responsible for the framework includes four individuals: Eng. Ahmed Desouki, Eng. Waleed Soliman, Eng. Tarek Soliman, and Eng. Mahmoud Amen. The document was approved and reviewed by Dr. Sherif Hazem, Sub-Governor of the Cybersecurity Sector, Mr. Gamal Negm, Deputy Governor, and Mr. Tarek Amer, Governor. The document control section also includes a revision history, with the most recent version being v1.0, finalized on December 1st, 2021. This ensures that the document is regularly reviewed and updated to stay current against evolving cyber threats. Overall, the document control section is a vital part of the Egypt Financial Cybersecurity Framework, providing structure and accountability for the ongoing management and maintenance of this essential document..
Contents.
[Audio] Slide 6 out of 50 of our presentation on Egypt's Financial Cybersecurity Framework will focus on the Cyber Technology and Operations section. This section includes capabilities such as Identity and Access Management, Data Protection and Privacy, Vulnerability and Patch Management, Email Security, Application Security, and more. Our framework also includes controls mapped to NIST Technology Architecture, covering areas such as governance, cloud security, and insider threat management. Additionally, we have an Outsourcing and Vendor Management section for monitoring and compliance in our financial operations. Our appendix includes resources, references, acronyms, and a hierarchy of controls to guide framework implementation. Our goal is to create a secure financial system in Egypt..
[Audio] This presentation will discuss Egypt's Financial Cybersecurity Framework and its key elements for protecting financial data from cyber threats. Slide number 7 emphasizes the importance of regular cybersecurity training and onboarding for employees. Ongoing training and onboarding not only strengthens security measures, but also promotes a culture of awareness and responsibility towards cybersecurity. Employees are the first line of defense against cyber attacks and must be well-informed and equipped to handle potential threats. Key areas of focus in training and onboarding should include educating on common cyber threats, password protection, and handling sensitive financial data. It is crucial to regularly update and review policies and procedures to stay aligned with industry standards. Employees should also be provided with resources for reporting suspicious activity or potential security breaches. Regular training and onboarding are essential for a strong and secure financial cybersecurity framework. By continuously educating and empowering employees, organizations can safeguard their financial data from cyber threats..
[Audio] We will now discuss slide 8, where we will focus on the key areas identified by the Central Bank of Egypt for tailoring a cybersecurity framework for the financial sector. As previously mentioned, the financial sector plays a crucial role in the economic security and growth of our country. As technology and connectivity continue to advance, it is essential that we address the threat of malicious actors in the cyber world. In response, the CBE has taken on the responsibility of identifying and implementing security measures to protect the integrity and security of our financial systems. This has resulted in the development of a customized cybersecurity framework designed specifically for the unique needs of the Egyptian financial sector. This framework will be the foundation for building cybersecurity capabilities within the sector and marks the beginning of a larger effort by the CBE to establish a strong and sustainable cybersecurity ecosystem in the financial sector. Let us now proceed to the next slide for a detailed understanding of this framework..
[Audio] In slide number 9, we will discuss the Egypt Financial Cybersecurity Framework for December 2021. This framework is crucial for maintaining the security of the financial sector in Egypt. It is continuously updated to stay ahead of cyber threats and is the result of collaboration between various organizations and stakeholders, including the Central Bank of Egypt, financial institutions, and government agencies. The framework outlines standards and best practices that all financial institutions in Egypt must follow, including implementing strong security measures and conducting regular risk assessments and audits. One of its key components is the establishment of a cyber incident response plan, which helps financial institutions respond to potential cyber incidents effectively and efficiently. Additionally, the framework promotes the use of advanced technologies such as artificial intelligence, machine learning, and blockchain to enhance cybersecurity. By adhering to this framework, we can protect our institutions and customers from cyber risks and contribute to a stronger and more resilient financial system. We must all work together to ensure the security and stability of our financial sector. Thank you for learning about the important role of the Egypt Financial Cybersecurity Framework. Stay tuned for more information on how to implement this framework in your organization..
[Audio] Slide number 10 is dedicated to discussing the Egypt Financial Cybersecurity Framework, which was established by the Central Bank of Egypt in December 2021. The main goal of this framework is to improve the cybersecurity posture and resilience of the financial sector in Egypt. It includes a range of best practices and controls that must be implemented in the cybersecurity programs of the financial sector, based on industry-accepted publications such as the NIST Cybersecurity Framework, NIST SP 800-53, Revision 5, PCI/DSS 3.2.1, ISO 27001:2013, and CIS Controls. This comprehensive document offers a flexible approach for all Licensed Entities under the supervision of the CBE to design and implement necessary controls in accordance with current and emerging industry standards. Additionally, the CBE has developed a structured assessment, training, and maturation model based on this framework. As organizations continuously enhance and evolve their cybersecurity programs, the CBE will regularly update and refine expectations and the framework to keep up with the ever-changing landscape. This marks the end of the overview of the Egypt Financial Cybersecurity Framework. More information on strengthening the cybersecurity of the financial sector will be available in the future..
[Audio] This is Slide 11 out of 50. The framework was created to provide comprehensive guidelines for the financial sector in Egypt, in accordance with Egyptian laws and regulations, specifically under the legal authority of the Central Bank of Egypt, as outlined in Law No. 194 for 2020. It also takes into consideration other laws, such as the Egypt Law for Information Technology Crimes and the Egypt Anti-Money Laundering Law No. 80 for 2002 and its amendments. The Central Bank of Egypt has issued circulars and specific guidance on various topics that align with these laws and regulations, which have been incorporated into this framework. As the official guidance for the Central Bank of Egypt, this framework covers cybersecurity, technology, and risk management. It is important to note that this framework does not replace or override any existing CBE regulations and should not be seen as a license for new services. All banking and financial institutions under the supervision of the CBE are expected to comply with regularly announced regulations and follow the standard process for obtaining license approvals. This concludes our presentation on the Egypt Financial Cybersecurity Framework for December 2021. Thank you for your attention..
[Audio] The Egypt Financial Cybersecurity Framework places significant importance on defining roles. The Central Bank of Egypt (CBE), in accordance with its legal authority, is responsible for setting strategic, technical, and policy standards that regulated financial institutions must adhere to. These standards also include compliance requirements that institutions must meet. Financial institutions operating within the jurisdiction of the CBE, as defined by Egyptian laws, are obligated to assess their cybersecurity posture in accordance with this framework, using the assessment mechanisms provided by the CBE. It is crucial for financial institutions to understand and comply with their roles as outlined in the framework to ensure the security of the Egyptian financial sector. These roles not only benefit the institutions, but also contribute to the larger goal of a stable and secure financial environment for the country..
[Audio] The Central Bank of Egypt has created a thorough framework to protect against cyber threats. This framework is based on multiple standards, such as the NIST framework, ISO 27001/27002, CIS controls, and PCI-DSS. Incorporating the three main components of people, process, and technology, as well as five key functions and 23 domains, this framework offers a robust and effective defense against cyber attacks. (Figure 1).
[Audio] Slide number 14 provides an overview of the Financial Cybersecurity Framework, which covers various standards such as the NIST framework, CIS Controls, ISO 27001/27002, and PCI-DSS. The framework is divided into four categories, including People, Process, Governance, and Cyber Technology & Operations Capabilities. These pillars cover important areas such as security awareness and training, compliance, risk management, asset management, and business resilience. Additionally, the framework addresses crucial topics like insider threat management, physical and environmental security, data protection and privacy, and vulnerability and patch management. This comprehensive approach helps safeguard the financial sector from cyber threats. The Cyber Technology & Operations Capabilities section covers key areas like identity and access management, application security, digital channels, network security, end-point security, and email security. These capabilities play a vital role in defending against cyber attacks. The final element of the framework, Outsourcing & Vendor Management, emphasizes the importance of managing third-party and vendor relationships, including cloud security. This slide also includes a visual representation of the framework's functions and domains. Please note that the color mapping in the figure refers to Figures 1, 2, and 3 for reference. The Financial Cybersecurity Framework is an essential tool for protecting the financial sector from cyber threats. Let's now move on to slide number 15 for more information on the framework's functions and domains..
[Audio] The Egypt Financial Cybersecurity Framework is the topic of our discussion today. This is slide 15 out of 50. The framework is organized into five key functions: Governance, Cyber Risk Management, Cyber Technology and Operations Capabilities, Cyber Defence, and Outsourcing and Vendor Management. Each of these functions plays a crucial role in securing financial systems in Egypt. We will take a closer look at each function. Firstly, Governance is responsible for establishing policies, procedures, and structures to govern cybersecurity initiatives in the financial sector. It sets the tone and direction for managing cyber risks. Next, Cyber Risk Management identifies potential threats and vulnerabilities and implements measures to mitigate and manage risks. This is important in safeguarding against cyber attacks and maintaining the stability of financial systems. Moving on, Cyber Technology and Operations Capabilities covers the technical and operational capabilities needed to protect and secure financial systems. This includes monitoring, detecting, and responding to cyber threats. The function of Cyber Defence is vital, as it implements measures and strategies to defend against cyber attacks. This includes both proactive and reactive measures. Lastly, Outsourcing and Vendor Management is responsible for managing third-party vendors' access to financial systems and ensuring compliance with cybersecurity standards. These five functions together form the Egypt Financial Cybersecurity Framework, with the common goal of securing the financial sector and protecting against cyber threats. This concludes our discussion on the framework. Stay tuned for more information on the Egypt Financial Cybersecurity Framework..
[Audio] The Financial Cybersecurity Framework's core functions have been covered and now we will examine how it relates to the NIST Cybersecurity Framework. This will help us understand the key areas that require our attention in ensuring the security of our financial systems. The first function, Identify, is vital for understanding our organization's assets and their value. By conducting a thorough assessment, we can identify vulnerabilities and risks in our network. Protect involves implementing measures to prevent cyber attacks and minimize the impact of security incidents. This includes network security, vulnerability and patch management, and application security. Detect includes monitoring our systems for any suspicious activity and identifying potential threats. Security operations, incident response, and end-point security play a crucial role here. Respond involves reacting to any security incidents, with an incident management policy and effective management of cyber threats. Recover focuses on restoring systems to their normal state after a security incident. This involves business resilience, risk management, and data protection and privacy. Additional functions include Email Security, Insider threat management, Physical and environmental security, and Identity and access management for added protection and monitoring of our financial systems. Security Awareness and Training is also important for educating employees and increasing their understanding of cybersecurity best practices. Governance and compliance requires appropriate policies and procedures to meet regulatory and industry standards. In the digital age, securing our online presence is crucial, including cloud security, outsourcing and vendor management, and SIEM and analytics for monitoring and threat detection. Finally, change management is essential for controlling and managing any changes..
[Audio] The Central Bank of Egypt has implemented a comprehensive Cyber Security framework in accordance with the NIST Technology Architecture as part of the Egypt Financial Cybersecurity Framework. This framework comprises of various controls that are mapped to NIST standards to ensure the utmost security for our financial systems. Slide number 17 discusses the 16th control, which specifically aims to protect the financial sector of Egypt. This control is crucial in protecting against cyber threats and maintaining the integrity and stability of our financial infrastructure. We will further explore the Egypt Financial Cybersecurity Framework in the upcoming slides and its crucial role in safeguarding our nation's financial systems..
[Audio] In this section of our presentation on Egypt's Financial Cybersecurity Framework, we will discuss clients and infrastructure. This includes both unmanaged and managed clients in on-premises, private cloud, and public cloud environments. We have implemented various security measures such as firewalls, endpoint protection, DNS protection, and data loss prevention. Our infrastructure also utilizes load balancers, web filtering, and VPNs, along with other security measures. We have established policies for asset and configuration management, risk assessments and compliance, business resilience and disaster recovery planning. This includes regular penetration testing, vulnerability and patch management, and backup and disaster recovery procedures in order to ensure a secure environment. Additionally, we have measures in place for privileged access management, identity and access management, and incident response and recovery. Our security architecture follows industry standards and regulations and we constantly monitor our systems for potential threats. We also prioritize vendor management to ensure our partners meet our security standards. Our cybersecurity framework is based on NIST architecture standards, as shown in Figure 3. As clients and infrastructure are crucial aspects of our financial cybersecurity framework, we continually strive to stay ahead of potential threats and maintain the highest level of security for our clients and their sensitive information. Thank you for your attention and please continue to follow our presentation for a comprehensive understanding of Egypt's Financial Cybersecurity Framework. This concludes slide number 18..
[Audio] Slide number 19 out of 50. Let's take a closer look at the structure of the Egypt Financial Cybersecurity Framework's domains. The framework aims to protect the financial sector from cyber threats through a comprehensive approach. Each domain consists of the following sections: Objective, Scope, People, Process, Architecture Standards, Technology Capabilities, Control Baseline, and Governing Standards. The Objective section states the overall objective and identifies the associated controls' purpose in mitigating threats. The Scope section defines the boundaries and limitations of the domain for effective implementation and management. The People section highlights the necessary knowledge and competencies for individuals in the domain. The Process section outlines policy-driven controls for a strong framework. The Architecture Standards section specifies design standards for consistency and compatibility. The Technology Capabilities section details technology-based controls for enhanced security. The Control Baseline section simplifies the controls in version 8 for easier implementation. The Governing Standards section includes a cross-referenced table of controls to align with industry standards. In summary, the Egypt Financial Cybersecurity Framework's domains are well-structured with comprehensive components..
[Audio] The topic of security controls in the EGYPT FINANCIAL CYBERSECURITY FRAMEWORK is a crucial aspect of compliance and risk mitigation. These controls are categorized as process-based or technology-based, with each control being labeled as mandatory or advisable. For a complete list of controls, refer to Appendix D, the Hierarchy of Controls. Additionally, the framework controls will be used to assess the maturity level of financial institutions, taking into consideration the type and weight of each control compared to a minimum baseline of mandated controls. As we move to the next slide, it is important to remember the importance of these security controls in creating a secure financial landscape in Egypt..
[Audio] The assessment is a crucial part of the Egypt Financial Cybersecurity Framework we are discussing. It has been designed carefully to evaluate both qualitative and quantitative aspects and provide a thorough assessment of compliance. The process is divided into three categories: overall rating, per-function rating, and per domain rating. These categories reflect a point-in-time evaluation of an organization's cybersecurity capabilities. The Capability Maturity Model Integration (CMMI) is commonly used to assess maturity, residual risk, and progress towards compliance with standards. Member institutions can utilize this model to measure their compliance and maturity. Table 4 can be referred to for a better understanding of these ratings. This concludes slide 21 of our presentation on the Egypt Financial Cybersecurity Framework. Please continue to the next slide for more information..
[Audio] We are currently on slide 22 out of 50. In this slide, we will discuss the maturity levels of the Egypt Financial Cybersecurity Framework. This will help you understand the necessary capabilities and processes for a secure financial environment. The first level is the Initial level, where capabilities and processes may not exist or are disorganized. This results in little to no documentation of processes, leading to either nonperformance or ad hoc performance. Moving on to the Repeatable level, there may be some existing capabilities and processes, but they are not well-established, defined, or documented. This can result in inconsistent processes. At the Defined level, capabilities and processes are developed and standardized across the organization, with formal documentation and socialization. This ensures a clear understanding and consistent implementation of processes. The Managed level involves monitoring, controlling, and improving capabilities and processes as needed, allowing for adaptability without compromising quality. Finally, the Optimized level is where capabilities and processes are highly mature and continuously improved through innovative methods. This concludes slide 22 of our presentation on the CMMI Maturity Model. The next slide will delve into the specifics of each maturity level in the Egypt Financial Cybersecurity Framework. Thank you for your attention..
[Audio] This training video focuses on slide number 23 of the Egypt Financial Cybersecurity Framework. The framework plays a crucial role in establishing a strong and resilient cybersecurity ecosystem in Egypt's financial sector. It is the first step in the Central Bank of Egypt's efforts to secure and protect the country's financial industry. The framework will continue to evolve and improve with each iteration, taking into account feedback from previous assessments. Its ultimate goal is to serve as a model for other regions in establishing a secure and sustainable cybersecurity system in the financial sector, benefiting not only Egypt but also the overall security and stability of the region. The various stages of the framework's lifecycle are shown in Figure 4, starting with self-assessment and followed by implementation, monitoring, and continuous improvement based on assessment results. It is essential for all stakeholders in the financial sector to actively participate and adhere to this framework to ensure its success and the development of a robust cybersecurity ecosystem in Egypt..
[Audio] We will discuss the iterative lifecycle development process for the Egypt Financial Cybersecurity Framework, which is depicted in Figure 4. This approach is cyclical and continuous, with four stages: assessment, planning, implementation, and evaluation. Each stage is crucial for the framework's effectiveness and relevance. The assessment stage involves understanding the current cybersecurity landscape and identifying risks and vulnerabilities. This forms the foundation for the planning stage. In planning, the gathered information is used to design a tailored approach for the framework, setting measurable goals, objectives, and necessary resources and timelines. The implementation stage involves developing and deploying the framework by implementing controls, policies, and procedures to enhance cybersecurity. The final stage, evaluation, is necessary for continuously improving the framework. It involves ongoing monitoring and assessment, and making adjustments for effectiveness. With each cycle, the framework becomes more robust and tailored to evolving threats. It is a continuous effort to safeguard the financial sector in Egypt. The discussion on the iterative lifecycle development process for the Egypt Financial Cybersecurity Framework is now complete. The next section will cover the framework's key components..
[Audio] In this section, we will discuss the significance of governance in establishing a successful cybersecurity program. Governance is the backbone of any cybersecurity program and encompasses the organizational structure, leadership support, policy development, and user training. These components must collaborate effectively to safeguard the data of your organization. Alignment of all initiatives with the organization's mission, vision, and goals is crucial for an efficient cybersecurity program. Staying updated with local laws and regulations is also essential for compliance. It is important to regularly monitor and adjust the cybersecurity program to meet necessary requirements. Implementing strong governance practices can help create a solid and robust cybersecurity program, providing protection for your data and systems while instilling confidence and trust in your customers and stakeholders. This concludes our discussion on the Egypt Financial Cybersecurity Framework. Please proceed to the next slide for more important information..
[Audio] Slide number 26 explains the Strategy and Organizational Structure aspect of the Egypt Financial Cybersecurity Framework. This element is crucial for a strong and mature cybersecurity program. The objective is to ensure that the organization has a suitable leadership strategy and organizational structure in place to achieve its mission objectives. This involves providing the necessary tools and resources to manage risks and protect against specific threats. Additionally, this domain examines the organization's overall cybersecurity strategy and how it aligns with the required structure to effectively combat cyber threats. One important aspect of the organizational structure is the designated roles and responsibilities of individuals within the cybersecurity program. It is important for top management to ensure that no individual has conflicting roles and responsibilities. For example, one person should not serve as both the CIO and CISO, or as the CISO and COO. It is also important to have designated executive roles for cybersecurity governance and oversight committees. These individuals are crucial in ensuring the success of the cybersecurity program and are responsible for specific tasks as well as serving on oversight committees. This ensures a well-rounded and comprehensive approach to cybersecurity within the organization. Overall, the Strategy and Organizational Structure component is an essential pillar of the Egypt Financial Cybersecurity Framework, and it is vital in building a strong and mature cybersecurity program. Please continue with slide number 27 for more information..
[Audio] The role and responsibilities of the Chief Information Security Officer, or CISO, within an organization will be discussed on slide number 27 of our presentation. The CISO is essential in safeguarding the organization's assets from both internal and external threats. This includes creating and enforcing the organization's cybersecurity program, in line with board objectives and business needs. This involves implementing policies, procedures, standards, and controls to defend against cyber threats. The CISO also manages the security operations center (SOC) and takes part in risk management activities throughout the organization. In the event of a security incident, the CISO takes charge and collaborates with other departments, such as IT and Risk, to handle and mitigate the issue. They are also the primary point of contact for any cyber security notifications and communications from the Central Bank of Egypt - Cyber Security Sector. Additionally, the CISO or a delegate attends CAB meetings and assesses potential risks for new business initiatives and projects. They also inform management and the board of the organization's security maturity levels, identify any gaps, and propose enhancement plans. Finally, the CISO is responsible for implementing a cyber security awareness program for all employees to educate and promote best practices. To sum up, the CISO is responsible for all aspects of cybersecurity within the organization and plays a crucial role in protecting its assets and ensuring its security. Let's continue to the next slide..
[Audio] Slide 28 out of 50: Let's take a closer look at the key roles responsible for maintaining the financial cybersecurity framework within the organization. These roles ensure alignment with the organization's strategic vision, use of technology, and necessary risk-mitigation measures. The Chief Operating Officer (COO) oversees daily business operations and collaborates with executive leadership from various departments. They also play a crucial role in the organization's steering committees to ensure alignment with the cybersecurity framework. The Chief Audit Officer (CAO) is responsible for compliance with internal policies and external standards through an active auditing program. The Board of Directors has the ultimate responsibility for setting the direction and roadmap for the organization's cybersecurity. They approve the cybersecurity strategy and program, with a solid understanding of related risks and goals. The Chief Information Officer (CIO) is in charge of IT and computer systems that support enterprise goals. This includes managing the budget, maintaining systems, and overseeing IT staff. The CIO plays a crucial role in developing and implementing cybersecurity measures for financial security. Together, these roles and teams maintain the financial cybersecurity framework for the organization. They ensure compliance with the CBE Governance and Internal Control Regulation, while safeguarding against potential risks and threats..
[Audio] Slide number 29 of our December 2021 presentation on the Egypt Financial Cybersecurity Framework will cover updates and responsibilities related to compliance and audit for your organization. We will also discuss the cybersecurity status and risks within your company. It is crucial to stay informed of any changes in laws or regulations to avoid penalties. We will review internal and external audit reports, including high-severity findings, to identify areas for improvement. The relevant stakeholders must approve the organization's risk appetite, profile, and tolerance for a cohesive approach towards managing risks. We will also review critical audit findings and any unresolved issues. The status of security enhancement recommendations shared by CBE Cyber Security Sector will be discussed. The Chief Information Security Officer (CISO) will update on the company's cybersecurity status and highlight any core challenges. The Chief Risk Officer (CRO) will provide an update on the Risk Assessment and Treatment Plan, including cybersecurity and business risks. The Cybersecurity Steering Committee is responsible for guiding and approving the strategy and policy, ensuring a balance between security and organizational objectives. The committee will also update on any major or critical cybersecurity incidents and confirm reporting to EG-FINCIRT in accordance with CBE regulations. The Chief Information Security Officer (CISO) will also address any questions or concerns related to the presentation..
[Audio] In the Egypt Financial Cybersecurity Framework, there are specific job roles and recommended experience, certifications, and training for each. This information can be found in Figure 6 of the framework document. Moving onto slide number 30, there is the Audit Committee which ensures compliance and oversees the organization's audit function and controls. It is made up of senior executives, stakeholders, and experts with expertise in compliance and governance. Recommended experience includes working in cyber security for a certain number of years and completing relevant courses and certifications. Next, the Risk Management Committee advises the Board of Directors on risk strategy and requires non-technical skills such as risk assessment and strategy development. Finally, the Change Management Board evaluates change requests and considers both business requirements and technical aspects. In summary, the job roles in the framework have a minimum level of required knowledge, skills, and abilities, as well as recommended training and experience. We will now move onto slide number 31 to further explore these competencies and their significance in the framework..
[Audio] This training is focused on the Egypt Financial Cybersecurity Framework for December 2021. We are currently on slide number 31 out of 50, which covers the Technology Capabilities of the framework. In this section, we will discuss the technology-based controls that are not included in the strategy and organizational structure. The framework requires a documented roadmap to identify the strategic objectives of the Cybersecurity program and a plan to measure progress. These objectives are aligned across the organization and broken down into smaller tasks and objectives by management level using the "objectives and key results" (OKRs) approach. It is important for the organization to have a documented process or standard outlining its mission statement, vision, and goals, which should be communicated to all employees and well understood. To ensure progress, specific resources should be assigned to the organizational goals and evaluated on a quarterly basis. The framework also requires a recurring review of program roles and skill sets to ensure the organization is capable of meeting its cybersecurity needs. During these reviews, we must consider if OLAs (operating level agreements) are being met for event detection and incident response, if we have the necessary skill sets to address the current threat profile, if any skill or role gaps have been filled, if there are career advancement paths in place to reduce role turnover, and if the performance of roles meets the expectations of the Cybersecurity program. This concludes our discussion on the Technology Capabilities of the Egypt Financial Cybersecurity Framework. Now, we will move on to slide number 32..
[Audio] In this segment, we will be discussing the governing standards and control references for the Egypt Financial Cybersecurity Framework in December 2021. These standards are essential for providing specific guidance on security controls, such as the NIST Special Publication 800-53, ISO 27001, and PCI/DSS. Additional guidance can be found in NIST Special Publication 800-181 Rev. 1 and NIST Special Publication 800-55 Rev. 1. Moving on to slide number 33, we will be focusing on the control and best practices for the function domains, including leadership advocacy, defined roles and responsibilities, strategic objectives, and mission and goals. These elements play a crucial role in establishing a strong governance strategy and organizational structure. We will also be discussing the operations and execution validation, which are essential for maintaining the overall security of the organization. For more detailed information, please refer to Table 5, which outlines the controls and best practices mentioned earlier. Let's now move on to slide number 33 for a deeper look into the implementation of these controls in your organization..
[Audio] Slide 33 discusses the policy aspect of the Egypt Financial Cybersecurity Framework. Policies serve as the foundation of an effective cybersecurity program by allowing businesses to operate while also protecting the organization from potential risks. The objective of the policy is to establish a set of agreed-upon standards, endorsed by executive leadership, to hold employees and other business elements accountable for their actions. These policies are shaped by the needs of the business culture, compliance regulations, and industry standards. Policies are regularly reviewed and refined in accordance with the organization's mission, vision, and goals to ensure their relevance. All employees have access to these policies through documents in a centralized location and it is their responsibility to understand and adhere to them in order to ensure the security of the organization. Those who support policy must have in-depth knowledge, formal training, and extensive hands-on experience, as well as skills in international cybersecurity standards and frameworks. Additionally, they should be able to effectively communicate and train all users on the approved policies as part of the Cybersecurity Awareness program. It is important for these individuals to hold industry certifications such as ISACA CISM, ISACA CGEIT, OCEG GRCP, and ISC2 CISSP. The process aspect of the policy is constantly evolving and it is crucial to establish a process to monitor and update policies regularly in order to maintain a strong cybersecurity posture and safeguard the organization from potential risks..
[Audio] Slide number 34 out of 50 in the Egypt Financial Cybersecurity Framework for December 2021 introduces the technology capabilities. Specifically, we will focus on the Policy Management System of Record. This system is essential for maintaining effective organizational policies and serves as a centralized system for identifying policy details. It also records and reports on employees' and contractors' acknowledgement and acceptance of policies. Next, we will cover auditing and compliance, business continuity/resilience, change management, and other areas related to cybersecurity. To ensure these areas are properly addressed, we will follow governing standards outlined in Table 6 and refer to NIST Special Publication 800-53, ISO 27001, and PCI/DSS for specific guidance on security controls. Additionally, we will consider guidance on IT controls and risk management frameworks from COBIT, COSO, and ITIL. To reinforce the importance of policies, we have a documented process for Policy Training and Acceptance that requires all employees and contractors to receive training and certify their understanding of critical policies. This concludes our discussion on the Policy Management System of Record and its role in the Egypt Financial Cybersecurity Framework's technology capabilities..
[Audio] In order to ensure the safety and security of Egypt's financial industry, compliance is essential. The organization, its employees, and third-party vendors must comply with internal policies, laws, and regulations. Compliance not only reduces risk exposure but also promotes accountability and responsibility. Internal and external audits are conducted to evaluate compliance with organizational policies, and any non-compliance is addressed. Compliance covers internal policies, industry standards, regulatory and legal standards. Audits, assessments, and inspections are used to evaluate compliance, with a documented process to monitor and assess organizational compliance. This includes roles, responsibilities, timelines, methods, scope, reporting, and consequences. A self-assessment is also conducted using a questionnaire and framework provided by the regulator. Personnel supporting compliance must have in-depth knowledge, formal training, and hands-on experience. This includes cybersecurity internal audits and understanding of the organization's internal environment. Compliance is crucial for maintaining the security and stability of Egypt's financial cybersecurity framework..
[Audio] Slide number 36 outlines the next step in the assessment process, which is to formalize the results and findings of the self-assessment. This includes creating a report on the cybersecurity capabilities that were reviewed. The design and effectiveness of the entity's cybersecurity capabilities and controls will be evaluated during this phase to determine if they align with policy claims. Any evidence gathered during the self-assessment should be documented thoroughly. Once the report is complete, it is vital to review it to ensure it meets the requirements of the relevant capabilities. Any discrepancies or areas for improvement should be noted and action plans for remediation must be developed. This will help to strengthen the organization's cybersecurity capabilities. The final step in the assessment process is to share the self-assessment report with the organization's management. The report will also include any corrective and preventive actions identified during the assessment. It is crucial for this report to be reviewed by a higher-level reporting team on an annual basis to ensure compliance with requirements. Lessons learned from previous assessments should also be included. This concludes Table 7 of the assessment process activities and controls. It is essential to follow each step carefully to ensure the validity of the assessment and enhance the organization's cybersecurity capabilities. We will now move on to the next topic..
[Audio] Slide 37 covers the reporting and regulatory alignment for compliance under the Egypt Financial Cybersecurity Framework in December 2021. Organizations are required to have a documented process for reporting any lapses in compliance and policy to the proper authorities, in accordance with CBE requirements. The results of these reports must be submitted within the agreed upon time period and in compliance with the reporting requirements. Additionally, organizations must have a process in place to ensure that compliance and enforcement activities align with regulatory requirements, specifically mentioning the relevant regulations or laws. In terms of technology capabilities, organizations must have a Governance, Risk, and Compliance (GRC) System in place to aid in identifying technical compliance with official policies. The GRC should also interact with a self-assessment process for an effective compliance program. For more specific guidance, organizations are advised to refer to NIST Special Publication 800-53, ISO 27001, and the Payment Card Industry Data Security Standard (PCI/DSS). These governing standards should be used in conjunction with the associated sections in NIST Special Publication 800-53 on Security and Privacy Controls for Information Systems and Organizations. All selected technologies should be onboarded to the SOC..
[Audio] Slide number 38 will cover section 1.4 of the December 2021 EGYPT FINANCIAL CYBERSECURITY FRAMEWORK. This section will focus on Security Awareness and Training, which includes topics such as data privacy, business ethics, physical threats, password security, and employee data collection and privacy. It also covers social engineering and phishing, data breach response, media engagement, and software installation policies, as well as job role-specific training for remote access, privileged access accounts, data owner and custodian responsibilities, and configuration and change management. The goal of this training is to educate employees, third parties, contractors, and customers on their responsibilities for protecting the organization's assets and data. By providing guidance on minimizing risks and potential threats, it aims to prevent brand and reputation damage, intellectual property theft, loss of public trust, and regulatory penalties. This training is also important for onboarding new employees and should be conducted annually or as needed to maintain a security-aware mindset. It is crucial that Security Awareness and Training stays up to date and aligns with current cyber threats and organizational policies. Those conducting the training must have thorough knowledge, formal training, and hands-on experience in the field. Essential skills include being able to conduct cybersecurity training in accordance with regulatory requirements and familiarity with the organization's services..
[Audio] The next section, Process, focuses on the departments that have completed employee awareness training at 100%. It emphasizes the importance of identifying and addressing employees who are vulnerable to phishing exercises. Those who repeatedly fall for phishing attacks will be placed on watchlists in the SIEM. To strengthen the organization's cybersecurity, there are technology capabilities in place. These include a Formalized Security Awareness Program, which provides centralized training to educate employees on their responsibility in protecting organizational assets and data from threats. The program utilizes real-world examples and various training methods and also includes awareness campaigns and employee feedback for continuous improvement. Additionally, the organization has a Learning Management System (LMS) for centralizing security awareness and training administration, storage, tracking, reporting, and delivery to employees and contractors. The LMS allows the organization to create or integrate course materials, set learning goals, create customized reinforcement questions and assessments, and track progress. A Role-Based Training Plan based on organizational policy identifies training requirements for employees based on their job role and level of access. This plan determines core skills and recommends additional training and conferences to enhance skills. To prevent phishing attacks, the organization conducts immersive phishing simulations for employees..
[Audio] In this section, we will discuss the control baseline and its significance in securing your system. Baselining and hardening, as noted in Table 9, are essential in reducing the attack surface of your system. The specific tasks involved in baselining and hardening will vary based on system features, operating systems, vendors, software versions, and system types. To assist in this process, CIS Benchmarks offer baseline configurations. The baseline controls from CIS in v8 have been provided for your convenience. For more detailed guidelines on baselining and hardening, we recommend referring to the CIS Benchmarks and the NIST National Checklist Program at NCP - National Checklist Program Checklist Repository (nist.gov). These resources provide centralized checklists that are regularly updated and incorporate industry best practices, hardening techniques, and checklists by authority and target platform. Now, let's review the CIS Control Details for the Protect Education & Awareness Program. Control 14.1 stresses the importance of establishing and maintaining a security awareness program to educate the workforce on how to interact with enterprise assets and data securely. This training should occur upon hire and annually. Regular review and updating of the program's content are essential, particularly when significant changes occur within the enterprise that may affect this safeguard. Moving on to control 14.2, we see the importance of training the workforce to recognize social engineering attacks, such as phishing, pre-texting, and tailgating, to prevent hackers. Control 14.3 emphasizes the need to train the workforce on authentication best practices, including MFA, password composition, and credential management. Lastly, control 14.4 highlights the importance of training the workforce on how to correctly identify, store, transfer, archive, and destroy sensitive data, including proper data handling procedures..
[Audio] This slide discusses the governing standards for security controls, specifically the NIST Special Publication 800-53, the ISO 27001, and the Payment Card Industry Data Security Standard (PCI/DSS). It is important to follow established standards in order to ensure the security of an organization's information systems and data. Additional guidance can be found in the NIST Special Publication 800-50, which offers guidance on building an information technology security awareness and training program. Various standards, such as the NIST CSF, NIST SP 800-53 rev5, ISO 27001:2013, and PCI DSS 3.2.1, provide controls and best practices for security awareness and training. This includes having a formalized security awareness program, role-based training plans, and metrics to track progress. It is also necessary to have a Learning Management System (LMS) in place, supported by the PR.AT AT-2 control, for implementing and managing the security awareness and training program. Phishing awareness is another important aspect of governance, which can be addressed through the PR.AT AT-2 control and specific clauses listed in the table. In summary, strong governance is crucial for effective security awareness and training, and it is essential to adhere to the corresponding controls and best practices outlined in the various standards. Please continue to the next slide for further information..
[Audio] This section is about Cyber Risk Management, which is an important aspect of the Egypt Financial Cybersecurity Framework. Its main goal is to implement controls for managing potential risks in order to ensure business operations are not compromised. This process begins with identifying and classifying critical business processes, assets, and risks. By understanding these factors, we can effectively monitor, manage, transfer, mitigate or accept risks. In Figure 7, we can see how risk is balanced with the security of business operations. This balance is crucial for protecting both the security and operations of the business. By maintaining this balance, we can effectively manage risks and prevent potential threats. As we approach the end of our presentation, it is important to remember the significance of Cyber Risk Management in the overall Egypt Financial Cybersecurity Framework. By implementing these controls, we can protect our business and ensure the safety of our operations. Let's continue to the next slide..
[Audio] In this training video, we will be discussing slide number 44 of the Egypt Financial Cybersecurity Framework for December 2021, which focuses on Risk Management Operations. The objective of these operations is to protect the organization's information and assets by implementing safeguards to ensure confidentiality, integrity, and availability. This is crucial in safeguarding the organization's overall operations and employees. By considering risks, an organization can make informed decisions to minimize potential damage to their brand, operations, and assets. It is therefore essential for an organization to prioritize risk management operations. To better understand this process, let's take a look at Figure 8, which illustrates a business risk management process. This process helps organizations identify and assess risks, implement necessary safeguards, and continuously monitor and update their risk management strategies. It is crucial in ensuring that an organization is accountable for risks and makes informed decisions to protect its operations and success. Thank you for watching this section on Risk Management Operations. We hope this information has been useful in understanding the importance of this aspect of the Egypt Financial Cybersecurity Framework. Please stay tuned for the rest of the presentation..
[Audio] To ensure the safety and security of our organization's financial systems, we have implemented the Egypt Financial Cybersecurity Framework. As we approach December 2021, our focus is on building a strong risk management program to address potential threats to our business components, processes, and people. The Risk Management Operations team is responsible for this process. Our ultimate goal is to frame, assess, monitor, mitigate, and respond to risks. This is achieved through a strategic determination of our organizational risk tolerance and the use of a risk assessment matrix to prioritize decision-making based on probability and impact. In order to effectively manage risk, our team has a wealth of knowledge and experience in cybersecurity controls and best practices. We are equipped to conduct risk assessments, identify any potential gaps, and recommend necessary controls while also monitoring treatment actions to prevent any issues from arising. Additionally, our team has hands-on experience with Governance, Risk, and Compliance tools, allowing us to effectively manage and address any potential risks. To ensure our team has the necessary skills and expertise, we prioritize relevant industry certifications such as ISACA Certified in Risk and Information Systems Control, Certified Information Security Manager, and ISC2 Certified Information Systems Security Professional, showcasing our commitment to maintaining high levels of cybersecurity and risk management. In our risk management process, we have a documented standard for our risk committee, outlining their role, responsibilities, and members. This committee advises our Board of Directors on risk appetite, profile, and tolerance. Our formal risk management program, based on organizational policy, enables us to analyze and mitigate specific risks that we may face. The Risk Committee plays a critical role in determining the acceptable level of risk and guides the development of our risk management program. As we continue to prioritize the safety and security of our financial systems, we are confident in the effectiveness of our Egypt Financial Cybersecurity Framework and our dedicated Risk Management Operations team..
[Audio] This presentation will discuss the importance of risk scoring and the use of a risk register in effectively managing cybersecurity capabilities. Organizations must have a system in place to continuously monitor and assess potential risks. This can be achieved through risk scoring and categorizing them into broader classifications, such as political, environmental, economic, geopolitical, social, and technological. Each category may have sub-classifications to provide more detailed information for the risk register. A well-documented standard should also be in place to catalog and periodically review these risks, along with any mitigating controls. This can be accomplished through a risk register, which should include fields for risk description, identification date, risk type, impacted business area, asset/project owner, impact, probability, status, and mitigating control and treatment plans. Utilizing Governance, Risk, and Compliance (GRC) technology is important for implementing a risk register. This allows for integration with other business systems, generating metrics, customized dashboards, and recurring automated reports. Criticality levels should also be assigned to resources to prioritize and address risks, including processes, business services, applications, and assets. In conclusion, a robust risk scoring system and well-maintained risk register can greatly assist organizations in managing and mitigating cybersecurity risks. The use of a GRC system further supports this through comprehensive risk analysis and compliance maintenance..
[Audio] In this section of our presentation on the Egypt Financial Cybersecurity Framework for December 2021, we will be discussing the governing standards for risk management. As displayed in Table 11, several standards provide specific guidance on security controls, including the NIST Special Publication 800-53, ISO 27001, and the Payment Card Industry Data Security Standard (PCI/DSS). For further guidance, we recommend consulting the NIST Special Publication 800-30 Rev. 1 for risk assessments, the NIST Special Publication 800-34 rev 1 for contingency planning, and the NIST Special Publication 800-139 for information security risk management. Additionally, we also have ISO 31000 for risk management and ISO 27005 for information security risk management. Moving on to controls and best practices, we can see that NIST CSF, NIST SP 800-53 rev5, ISO 27001:2013, and PCI DSS 3.2.1 all have requirements related to risk committees and formal risk management programs, aligning with the ID.RM and ID.GV-2 controls. For risk monitoring and classification, relevant controls from NIST SP 800-53, such as PM-9, PM-28, and the RA control family, can be found in ISO 27001 and PCI DSS standards. Lastly, for governance, risk, and compliance (GRC) systems, NIST CSF and NIST SP 800-53 include controls such as ID.GV-3 and ID.RM-2, aligning with all control families mentioned in this presentation. This concludes our discussion on the risk management operations controls. Please refer to Table 11 for a detailed reference of these controls. Stay tuned for the next section of our training on the Egypt Financial Cybersecurity Framework..
[Audio] We will now cover the configuration management tools used for Asset Management in the organization. Understanding and managing information assets is crucial for maintaining a strong cybersecurity framework. The objective of Asset Management is to identify and oversee all assets, ensuring proper mitigating controls are in place. This can protect against common cyber threats such as rogue devices, unclear ownership, undocumented data flow, and unknown configuration. For Asset Management, there should be a documented process that aligns with the organizational policy, outlining the identification, lifecycle, handling, and classification of assets. The process should also include self-assessment criteria and a review schedule for existing assets including ownership, location, description, threats, risks, and mitigating measures. It's important to note that Asset Management includes all systems, functions, applications, and business services, not just physical or cybersecurity assets. This requires not only identifying assets but also understanding their functional dependencies. In addition to Asset Management, there should be a documented process or standard that aligns with the organizational policy for Media Handling and Information Asset Classification. This ensures that information is handled and classified according to its sensitivity. This includes classification standards, approved methods for transit and storage, data disposal and retention, data operational level agreements (OLAs), and identifying data custodians. It's essential to have personnel with extensive knowledge supporting Asset Management, well-versed in processes and procedures to effectively manage and protect the organization's assets. This is a critical aspect of the Egypt Financial Cybersecurity Framework for December 2021..
[Audio] Slide number 49 will focus on technology capabilities within the EGYPT FINANCIAL CYBERSECURITY FRAMEWORK for December 2021. This section emphasizes the importance of maintaining a secure operating system, including the patch level, hostname, hardware and network addresses, and inventory of firmware and software. It also addresses the need for associated accounts and stresses the necessity for all selected technologies to be onboarded to the Security Operations Center, following the "Verbose Logging Standard" outlined in Section 3.3.4b. Moving on to the Configuration Management Database (CMDB), this system is designed to track and store configuration information for software and hardware assets that support business objectives. It is essential to capture ownership, location, description, configuration, upstream and downstream dependencies, criticality, and data classification. Next, we will be establishing a control baseline and referring to Table 12. Baselines and hardening techniques are crucial for reducing attack surface. The specific implementation will vary depending on system features, operating systems, vendors, software versions, and system types. CIS Benchmarks provide baseline configurations for v8. For detailed baseline and hardening guidelines, the CIS Benchmarks and the NIST National Checklist Program at the NCP Checklist Repository can be consulted. Lastly, we will discuss the Asset Management Database responsible for tracking all hardware and software assets permitted to access and communicate within the organization's environment. It is crucial to have a robust asset management system to identify key technical identifiers for each individual asset. Slide number 50 will continue our discussion on technology capabilities, configuration management, and control baseline..
[Audio] This slide will cover the ID CIS Control Detail for NIST CSF Sensor or Baseline. The main focus of this control is on identifying assets within the enterprise network. Its purpose is to establish and regularly update an accurate inventory of all assets that have the capability to store or process data. These assets include end-user devices, network devices, non-computing/IoT devices, and servers. It is crucial to include the network address, hardware address, machine name, data asset owner, and department for each asset in the inventory to facilitate tracking and management. It is also necessary to indicate whether the asset is approved to be connected to the network, including both physical and virtual connections and those in cloud environments. The inventory must be reviewed and updated every six months to maintain its accuracy. To address unauthorized assets, there should be a process in place to identify and handle them on a weekly basis. This may involve removing the asset from the network, denying remote access, or quarantining it. To support the asset inventory and discovery process, an active discovery tool should be used to identify assets connected to the network. This tool should be set to run daily or more frequently to ensure all assets are accounted for. In addition to the active discovery tool, a passive discovery tool should also be employed to detect assets connected to the enterprise's network. Scans should be conducted at least weekly, or more often, to update the asset inventory. Moving on to the next control, it is essential to establish and maintain a detailed inventory of all software within the enterprise. This includes licensed software, open source, and custom-built software. The software inventory must be regularly updated to ensure all software is included. We thank you for your attention to this control detail for asset inventory and discovery. As we conclude our presentation, we hope you now have a better understanding of the ID CIS Control Detail for NIST CSF Sensor or Baseline. Thank you for joining us for this training and onboarding session..