Non-FINRA Cybersecurity Resources

FINRA has assembled a list of resources that firms may use to manage their cybersecurity risk. These resources include:

Use of any of these resources does not ensure compliance with FINRA’s cybersecurity rules and policies.  FINRA does not endorse or guarantee any of the resources listed below. 

News and Analysis

Brian Krebs  
Krebs on Security is a cybersecurity blog that provides in-depth security news and investigation.

DARKReading  
DARKReading is a cybersecurity news site covering top stories in information security including new cyber threats, vulnerabilities and technology trends.

Verizon Data Breach Report
This report is a collection of real-world data breaches and information security incidents from 2015.

Effective Practices and Guidance

Best Practices for US Financial Institutions: Reducing Risks Associated with Destructive Malware 
The Financial Services – Information Sharing and Analysis Center (FS-ISAC) published this white paper on controls and to help firms identify, prevent, detect, respond and recover from destructive malware attacks. 

CIS Critical Security Controls
The CIS Critical Security Controls are a recommended set of actions for cyber defense that provide specific and actionable ways to manage and reduce today's most pervasive and dangerous attacks.

FBI Local Offices
The FBI has 56 field offices located in the US and Puerto Rico.  Find your local office from this site.

NIST Cybersecurity Framework
The National Institute of Standards and Technology (NIST) has created a Cybersecurity Framework based on existing standards, guidelines, and practices, for critical infrastructure organizations to better manage and reduce cybersecurity risk.  In addition, it was designed to foster risk and cybersecurity management communications amongst both internal and external organizational stakeholders.

Open Web Application Security Project (OWASP)
The OWASP is an organization focused on improving the security of software. OWASP provides impartial, practical information about application software security to individuals, corporations, universities, government agencies and other organizations worldwide.

SANS Security Resources
The SANS Security page provides a cybersecurity reading room with whitepapers on a wide array of cybersecurity topics, resources to support the development and implementation of information security policies, SANS Technology Institute research, Cybersecurity news and awareness material, and other useful resources.

SIFMA Cybersecurity Guidance for Small Firms
This guide builds upon the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework, which is derived from existing industry standards. Firms should apply the best practices in this guide in a risk-based, threat-informed approach based on the resources available and in support of their firm’s overall business model. 

Web Application Security Consortium (WASC)
The WASC is an organization that produces open source and widely agreed upon best-practice security standards for the World Wide Web.  WASC consistently releases technical information, contributed articles, security guidelines, and other useful documentation. 

Free Diagnostic Tools

Baldrige Cybersecurity Excellence Builder 
This draft document from the National Institute of Standards and Technology (NIST) provides key questions for improving your organization’s cybersecurity performance.

FFIEC Cybersecurity Assessment Tool
The Federal Financial Institutions Exam Council (FFIEC) has developed a cybersecurity assessment tool to help financial institutions identify their risks and determine their cybersecurity preparedness.

Web Server Encryption Test
This free online service from Qualys SSL Labs performs a deep analysis of the communication security configuration of any secure web server on the Internet. 

Other Resources

Financial Services Information Sharing and Analysis Center (FS-ISAC) 
The FS-ISAC is a member-driven organization that shares threat and vulnerability information, conducts coordinated contingency planning exercises, manages rapid response communications for both cyber and physical events, conducts education and training programs, and fosters collaborations with and among other key sectors and government agencies. 

Standard Information Gathering (SIG) questionnaire (lite version)
Shared Assessments provides this questionnaire to help firms collect information and obtain all of the information necessary to conduct an initial assessment of a third party vendors information technology, privacy and data security controls.


Feel free to email us to provide feedback and suggestions to enhance this page.