Recommended Approach

Upon purchasing financial services from Island Banking Services, the establishment of a cybersecurity management program for Padgett-Beale is inevitable. As informed by the National Institute of Standards and Technology (NIST), organizations in the modern world must balance the ever-changing cybersecurity threats against the necessity to accomplish business operations. With this in mind, I believe that the NIST Cybersecurity Framework is the ideal approach for Padgett-Beale Financial Services in developing its cybersecurity management program. The most notable reason for this standpoint revolves around the framework’s capability to establish a shared comprehension of cybersecurity risks. This implies that the aforementioned framework provides a shared language that permits all the staff “within an organization, including the stakeholders, to develop a shared understanding of their cybersecurity risks” (NIST, n.d., par.2).

Moreover, the NIST Cybersecurity Framework offers a broader range of other benefits, which will be significant for Padgett-Beale Financial Services. For instance, besides helping the organization to lessen cybersecurity threats with custom-built measures, the approach will further help Padgett-Beale Financial Services to respond as well as recover from cybersecurity incidents, notably by stimulating the analysis of the underlying causes and how to make enhancements. Generally speaking, the implementation of the NIST Cybersecurity Framework will be immensely valuable for the Padgett-Beale organization. To sum up, the framework is risk-based. This implies that upon its implementation, it will play a pivotal function in helping the determination of Padgett-Beale’s risky assets as well as devising ways to protect them (Scofield, 2016).

Laws and Regulations that Must Be Addressed

            In the financial sector, there are multiple regulations that must be adhered to in order to conduct business. For this reason, when considering the implementation of a cybersecurity management program, it is vital for financial firms to comprehend how these regulatory standards impact the company’s daily operations. One of these regulations is the Payment Card Industry (PCI) Data Security Standards (DSS). Often referred to as PCI DSS, this regulation is an international set of standards governing how financial companies must handle credit card information. Further, the regulation requires financial service firms to sustain a secure data network as well as consistently monitor data across their network with the aim of preventing theft and destruction of credit card data. Thus, compliance with the PCI DSS mandates financial firms to devise programs that provide complex security solutions to safeguard crucial financial information.

            Besides the PCI DSS, the other regulation that must be addressed by the said program is the Bank Secrecy Act.  This regulation aims at averting financial companies from being utilized to launder money, notably by authenticating the legitimacy of currency-related transactions. Basically, with cyber-criminals using data manipulation strategies to adjust currency records, the majority of auditors today often inspect a firm’s cybersecurity system during evaluation. Thus, the aforesaid act should be addressed by an organization’s cybersecurity management program. Moreover, the Sarbanes-Oxley is another vital regulation that must be addressed by such programs. As a US law, the regulation requires financial firms to protect and monitor financial-related data, alongside maintaining the validity of financial records. To achieve this, therefore, it is a prerequisite for such firms to have cybersecurity practices and standards in their cybersecurity management programs.

Assessing the Maturity of Cybersecurity Management Program

            Broadly, evaluating the maturity of PBI-FS’s cybersecurity management-related program revolves around the idea of ascertaining the degree of preparedness to mitigate threats and vulnerabilities from hackers. The more mature such a program is, the more equipped an organization is to prevent cybersecurity risks. There are multiple practices that PBI-FS can use to assess its cybersecurity management program’s maturity. The majority of these practices, however, can be extracted from the NIST Cybersecurity Framework and the C2M2 – Cyber Security Capability Maturity Model. For instance, considering the C2M2, PBI-FS can assess its maturity level in the aforesaid program, notably by evaluating its strengths and weaknesses in multiple areas. This can be achieved using multiple practices, including (but not limited to) assessing risk management capability, identity, and access management, incident response, as well as continuity of operations (Rea-Guaman et al., 2016).

            Further, the use of cybersecurity metrics is another best practice in which PBI-FS can use to assess the maturity of its cybersecurity management program. This includes assessing the number of blocked devices that are not in the organization's inventory, determining the number of individuals or rather staff who are clicking bad links each month, as well as ascertaining the duration of time taken to resolve incidences, including the magnitude of their impact to the organization. Such assessments can be done through the utilization of the vast amount of data obtained from the company’s cybersecurity program. In other words, all sorts of information in PBI-FS’s cybersecurity program can be used to establish metrics, which will inform the program’s level of maturity.