Reserve Bank aims to improve cyber security posture
- 14 March, 2019 08:30
The Reserve Bank wants to up its security game
The Reserve Bank is exploring the security operations centre (SOC) and security management services market to lift its capabilities.
The central bank said it has an existing internal security incident event management (SIEM) and SOC capability, but adds there are improvements to that capability that would benefit the security posture of the bank.
"RBNZ believes that the supplier market may be able provide an uplift in security capabilities, that provides contextual alerting and management of incidents; in a broader and more sophisticated manner than the current in-house implementation," it said in a request for information (RFI) posted this week.
"Given RBNZ’s existing technology investments we want to understand how suppliers may leverage both our existing tooling, and supplier technology, to ensure that maximum benefits are achieved from the implementation of SIEM type products."
The bank also wants to understand how such a service would interface with existing people and processes effectively.
RBNZ defines a SOC as: “a combination of people, processes and technology protecting the information systems of an organisation through: proactive design and configuration, ongoing monitoring of system state, detection of unintended actions or undesirable state, and minimising damage from unwanted effects.”
Responses to the RFI will be used to develop a sourcing strategy for RBNZ’s requirements by determining the range of possible solutions, technologies and goods or services available, possible costs and a better understanding of the suppliers in the market.
"We are seeking your input to understand existing services and systems, to help inform our business case and to plan our formal tender approach to the market," it said.
The bank added that information from the RFI will not be used to appoint or shortlist for appointment a preferred supplier, nor to confer any advantage or disadvantage on any party who responds or does not make a respond.
In 2017, the bank considered introducing more prescriptive cyber security requirements for the financial and banking sector it regulates, but opted not to.
“We doubt that prescriptive regulations would appreciably improve the outcome, when the technology and threat landscape are both changing so rapidly," Reserve Bank head of prudential supervision Toby Fiennes warned in a speech in Auckland. "We will, however, review this policy stance from time-to-time to ensure that it remains appropriate."