April 21, the Office of the Superintendent of Financial Institutions (OSFI) published Implementation Guide 1.0 : Intelligence-led Cyber Resilience Testing (I-CRT) Framework that provides the methodology and process to follow when conducting an I-CRT assessment.
As outlined by OSFI : “the overall objective of the I-CRT assessment is to regularly evaluate a FRFI’s cyber-resilience posture by identifying cyber threats and associated possible remedial actions.”
The I-CRT Framework provides guidance on the following:
I-CRT assessment criteria and cadence
Roles and responsibilities (FRFI and FRFI Control Group, Control Group Coordinator, Regulator, Threat Intelligence service Provider and Red Team).
Risk management (I-CRT phases, I-CRT risk owner, Operational secrecy, Independent service providers).
I-CRT process (Initiation phase, Threat Intelligence phase, Execution Closure phase).
The Guideline shall be read in conjunction Guideline B-13, Technology and Cyber Risk Management (read our previous piece here).