Columbia's CITI/DFSO Cybersecurity Actionable Risk Managment Framework


Columbia's CITI/DFSO Cybersecurity Actionable Risk Managment Framework Initiative

Collaborate with us on our initiative to produce a cybersecurity actionable risk management framework for digital financial services (DFS).

See the webinar below which previews the A-RMF along with a Questions & Answers session following.

About the initiative

There are over 270 non-bank Digital Financial Service Providers (DFSPs) in over 100 mainly developing countries offering DFS to over 800 million people, many of whom have never had access to formal financial services due to being ignored by banks. The DFS ecosystem comprises actors of varying organizational size and maturity and capabilities.  Whilst all organizations need to be vigilant of any risk to safe and successful operations, the wide spectrum of organizational capabilities make this extremely difficult to achieve across the DFS ecosystem.  This is especially true of less mature organizations.  Of the multiple risks that can affect an organization, cybersecurity risk is extremely important.  The impact of a cybersecurity incident on the wellbeing of an organization can be profound.

The aim of the A-RMF (as contained in our Executive Summary) is to ensure that DFS organizational operations and services are contained within a safe and secure environment that maintains the confidentiality and integrity of data and information; secures funds, which limits and confines availability only to authorized persons/parties; and acts proactively and reactively to cyber-attacks to minimize and/or eliminate impact and disruption. The A-RMF has been created by building on international cybersecurity standards and best practices.  It combines these with propriety IP to create a cyber hygiene maturity framework, providing proactive process steps to best protect from cybersecurity incidents and reactive process steps should a cybersecurity incident happen. The process steps are tailored towards the capabilities of a DFS actor.

Cybersecurity A-RMF Documents & Informational Video

Below you can find a full set of our current A-RMF documents including video presentations. 

Collaborate with Us!

The A-RMF in its current form has been created by research and collaboration with experts in cybersecurity, financial inclusion and DFS and is ready for review and feedback.

We are requesting feedback on the two operational components of the A-RMF:

  • Preventative Processes
  • Threat Matrix

For both components, we are requesting feedback on:

  • The content of these components
  • Whether this can be used operationally in your organization, and if you’d be willing to implement them

We would request that feedback be provided via e-mail by reaching out to us directly (information contained in our Feedback Program Guidelines document or initially by contacting us using our contact form.

Documents / Downloads

    DFSO A-RMF - Executive Summary

    • A summary of the entire project with explanations of each portion. You may have received this document initially from us.

Informational / Instructional Videos

Three videos walking through an update to our Feedback Program management framework in addition to the A-RMF Pre-Release Introduction with Q&A below.

A-RMF Webinar of the Pre-Release A-RMF with Questions & Answers Session (December 15)

A-RMF Introduction Revised: 1 of 3

Updated revision of the introduction to the RMF, Feedback Program, cyber hygiene maturity model, operational overview, preventative processes, risk assessment information and an earlier, prerelease project timeline.

A-RMF Preventative Process Component: 2 of 3

An explanation and review of each worksheet tab for the Process Based Cybersecurity Framework Component.

A-RMF Threat Matrix: 3 of 3

An explanation and review of each worksheet tab for the new threat matrix component worksheet.

Legal Disclaimer: The content appearing on this site is for general information purposes only and made available on an "AS-IS" basis. The law is subject to change and no representation or warranty is made with regard to accuracy or fitness for a particular purpose.