Breach Review Terms of Reference

 Date released: 29 January 2021

Background

The Reserve Bank of New Zealand (The Bank) has been the subject of a malicious breach of one of its data systems. A third party file sharing service used by the Bank to share and store some sensitive information, was illegally accessed and information stored on that system has likely been compromised.

The breach has been contained and the system has been secured and taken offline to limit any further exposure. The Bank is continuing to work closely with domestic and international cyber security experts and other relevant authorities as part of the ongoing investigation and response to the attack.

Objective

The overall objective of this review is to provide insights and recommendations to the Board, Governors and management on potential risk exposures, root causes and contributing factors in regards to information and critical systems management and associated security practices at the Bank in context of the illegal breach of our file transfer system.

The Bank would like to:

  1. Understand and confirm the timeline of events and actions taken leading up to and the immediate response to the breach.
  2. Assess the appropriateness of the incident response and actions taken to mitigate / remediate the breach, noting any perceived gaps or improvements.
  3. Identify any potential design or operating effectiveness control weaknesses that may have contributed to the breach, including any thematic or systemic issues in relation to:
    1. The level of awareness and action plans in place to address relevant outstanding audit findings, recommendations and Post Incident Process Improvements (PPIs).
    2. The robustness of current information management and information security technical, people and process related controls and their alignment with the Banks risk appetite and enterprise risk register.
    3. Any relevant perceived weaknesses or improvements to the Bank’s risk appetite assessment and/or enterprise risk framework to meet information management and information security best practice for our sector.
    4. Areas for improvement in the policies and procedures of Digital Services and Information Security have implemented for the identification, management oversight, maintenance and assurance (Certification and Accreditation) of critical or high-risk information systems and/or end of life technology.

Scope

The scope of this review will include the following:

  1. Event timeline and actions
    1. Obtaining and assessing relevant artefacts that support the initial and subsequent notification and communication of the vulnerability from the vendor, detection of the breach, implementation of the patches and the decisions, actions taken prior to, during the incident and any immediate containment actions. NOTE: As management’s incident investigation is still in progress the scope of the assessment is limited to the activities of the Incident Response Team and other relevant Bank staff/ third parties up until 9 January 2021. An assessment of any historical activities will also be included to the extent they are relevant to the current incident.
    2. Assessing the appropriateness and compliance with Bank policies on documentation/evidence supporting the process followed and formal approval of decisions made.
  2. Incident Response
    1. Assessing the appropriateness of the incident response approach, governance, assessment of implications/risks and actions taken to mitigate/remediate the breach.
    2. Understanding the overall process followed and the level of alignment to the Banks Incident Response Policies and Procedures and any other relevant external obligations.
    3. Evaluating potential areas for improvement in the Banks current Incident Response Policies and Procedures.
  3. Risk Management
    1. Evaluating relevant supporting documentation relating to the planned replacement of the at-risk file transfer system.
    2. Assessing the level of awareness of the potential risk exposure with the file transfer platform including the nature and extent of information stored, acceptable use requirements and guidelines, staff working practices and operational and security monitoring.
    3. The level of awareness and action plans in place to address any relevant outstanding audit findings, recommendations and Post Incident Process Improvements (PPIs).
    4. Any relevant perceived weaknesses or improvements to the Bank’s risk appetite assessment and/or enterprise risk framework to meet information security and information management best practice for our sector.
  4. Controls Assessment
    The review will include an assessment of the design and operating (based on the level of risk) effectiveness of key controls designed to identify, prevent, detect, respond and recover from similar incidents in the future and their alignment with the Banks risk appetite and enterprise risk framework and information security best practice. Key areas of focus will include:
    1. Information management: Including the policies and procedures for classifying information assets, preventative and detective measures to detect data loss of high-risk information assets, information governance frameworks and polices in place, and staff awareness and training.
    2. Information Security Risk management: Including logical access controls, monitoring controls, change control, patch and vulnerability management, and platform resilience.
    3. Platform management: Including development and maintenance of an application inventory, ongoing risk assessment, systems ownership and roles and responsibilities, Certification and Accreditation processes and procedures during the application/system lifecycle, Platform maintenance and monitoring compliance with relevant standards of the Bank and Government (e.g NZISM).
    4. Governance: Digital Services Risk management and reporting and KPIs, Roles and responsibilities, Budgeting and funding, Strategy and Roadmap development, Governance reporting scope and regularity to the Bank’s senior leadership team and the RBNZ board/ Risk Committee.

The scope excludes:

  • detailed assessment of the vendor control environment and software development processes and procedures.
  • A comprehensive business wide review of information management practices, as the Bank is scheduling this for later in the year.

We will advise you of any significant changes to this scope that may occur during the course of the audit.

Approach

As the incident investigation is currently still in progress, key staff will be rightly focused ensuring the incident is fully understood, resolved and remediated. To ensure that this review does not impact the ability of the team to focus on this critical task but to also provide the Governors and management with an appropriate level of confidence in the process being followed and actions being taken the following two phased approach is proposed:

  • Phase 1: Complete Scope items 1, 2 and 3 (Event timeline and actions, Incident Response and Risk Management) to provide confidence in current activities.
  • Phase 2: Complete Scope item 4. Item 4 has a bank-wide, more future focused to ensure a similar event does not reoccur and therefore could commence once the incident has been fully resolved.

It is acknowledged that the results of Phase 1 may also require subsequent changes to the scope of Phase 2.

Deliverable

The deliverable will include a report summarising our findings and a prioritised set of recommendations for improvement.