State Street’s Corporate Information Security (CIS) organization defines and manages the enterprise-wide CIS Program. CIS partners with Information Technology, corporate functional areas, and business units to implement controls designed to protect the confidentiality, integrity and availability of corporate information assets.
The CIS Program and underlying controls cover every aspect of our information risk environment, including architecture, networks, information systems, data, organizational structure, risk mitigation, communications and training. State Street has adopted several frameworks, including the NIST Critical Infrastructure Framework (NIST CF), and the ISO 2700X series. The NIST CF is a framework that provides a holistic view of organizational cyber security. The ISO 2700X (an information security management framework) provides more fine grain control, detailing the set of security measures being implemented under that framework.
We’ve recently begun implementing the NIST CF framework, which focuses on essential elements of a security enterprise documenting current state in each element. This framework helps to measure the capabilities, effectiveness and readiness against target state, with the final stage being a fully identified current and target environment.