Assessment Chief ≡ Fill Out Printable PDF Forms Online

Question	Answer
Form Name	Assessment Chief
Form Length	123 pages
Fillable?	No
Fillable fields	0
Avg. time to fill out	30 min 45 sec
Other names	ffiec assessment tool, cybersecurity assessment tool ffiec, ffiec assessment, cat tool ffiet

Form Preview Example

FFIEC Cybersecurity Assessment Tool

Overview for Chief Executive Officers and Boards of Directors

In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council1 (FFIEC) developed the Cybersecurity Assessment Tool (Assessment), on behalf of its members, to help institutions identify their risks and determine their cybersecurity preparedness. The Assessment provides a repeatable and measurable process for institutions to measure their cybersecurity preparedness over time. The Assessment incorporates cybersecurity-related principles from the FFIEC Information Technology (IT) Examination Handbook and regulatory guidance, and concepts from other industry standards, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework.2

Benefits to the Institution

For institutions using the Assessment, management will be able to enhance their oversight and management of the institution’s cybersecurity by doing the following:

•Identifying factors contributing to and determining the institution’s overall cyber risk.

•Assessing the institution’s cybersecurity preparedness.

•Evaluating whether the institution’s cybersecurity preparedness is aligned with its risks.

•Determining risk management practices and controls that are needed or need enhancement and actions to be taken to achieve the desired state.

•Informing risk management strategies.

CEO and Board of Directors

The role of the chief executive officer (CEO), with management’s support, may include the responsibility to do the following:

•Develop a plan to conduct the Assessment.

•Lead employee efforts during the Assessment to facilitate timely responses from across the institution.

•Set the target state of cybersecurity preparedness that best aligns to the board of directors’ (board) stated (or approved) risk appetite.

•Review, approve, and support plans to address risk management and control weaknesses.

•Analyze and present results for executive oversight, including key stakeholders and the board, or an appropriate board committee.

1The FFIEC comprises the principals of the following: The Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, Consumer Financial Protection Bureau, and State Liaison Committee.

2A mapping is available in Appendix B: Mapping Cybersecurity Assessment Tool to the NIST Cybersecurity Framework. NIST reviewed and provided input on the mapping to ensure consistency with Framework principles and to highlight the complementary nature of the two resources.

June 2015

FFIEC Cybersecurity Assessment Tool	Overview for CEOs and Boards of Directors

•Oversee the performance of ongoing monitoring to remain nimble and agile in addressing evolving areas of cybersecurity risk.

•Oversee changes to maintain or increase the desired cybersecurity preparedness.

The role of the board, or an appropriate board committee, may include the responsibility to do the following:

•Engage management in establishing the institution’s vision, risk appetite, and overall strategic direction.

•Approve plans to use the Assessment.

•Review management’s analysis of the Assessment results, inclusive of any reviews or opinions on the results issued by independent risk management or internal audit functions regarding those results.

•Review management’s determination of whether the institution’s cybersecurity preparedness is aligned with its risks.

•Review and approve plans to address any risk management or control weaknesses.

•Review the results of management’s ongoing monitoring of the institution’s exposure to and preparedness for cyber threats.

Assessment’s Parts and Process

The Assessment consists of two parts: Inherent Risk Profile and Cybersecurity Maturity. Upon completion of both parts, management can evaluate whether the institution’s inherent risk and preparedness are aligned.

Inherent Risk Profile

Cybersecurity inherent risk is the level of risk posed to the institution by the following:

•Technologies and Connection Types

•Delivery Channels

•Online/Mobile Products and Technology Services

•Organizational Characteristics

•External Threats

Inherent risk incorporates the type, volume, and complexity of the institution’s operations and threats directed at the institution. Inherent risk does not include mitigating controls. The Inherent Risk Profile includes descriptions of activities across risk categories with definitions for the least to most levels of inherent risk. The profile helps management determine exposure to risk that the institution’s activities, services, and products individually and collectively pose to the institution.

Least	Minimal	Moderate	Significant	Most Inherent
Inherent Risk	Inherent Risk	Inherent Risk	Inherent Risk	Risk

When each of the activities, services, and products are assessed, management can review the results and determine the institution’s overall inherent risk profile.

June 2015

FFIEC Cybersecurity Assessment ToolOverview for CEOs and Boards of Directors

Cybersecurity Maturity

The Assessment’s second part is Cybersecurity Maturity, designed to help management measure
the institution’s level of risk and corresponding controls. The levels range from baseline to
innovative. Cybersecurity Maturity includes
statements to determine whether an institution’s		Innovative
behaviors, practices, and processes can support		Innovative
behaviors, practices, and processes can support
cybersecurity preparedness within the following		Advanced
five domains:		Advanced
five domains:
•	Cyber Risk Management and Oversight	Intermediate
• Threat Intelligence and Collaboration
•	Cybersecurity Controls	Evolving
•	External Dependency Management

• Cyber Incident Management and Resilience

The domains include assessment factors and	Baseline
contributing components. Within each
component, declarative statements describe
activities supporting the assessment factor at each

maturity level. Management determines which declarative statements best fit the current practices of the institution. All declarative statements in each maturity level, and previous levels, must be attained and sustained to achieve that domain’s maturity level. While management can determine the institution’s maturity level in each domain, the Assessment is not designed to identify an overall cybersecurity maturity level. The figure below provides the five domains and assessment factors.

Domain 1: Cyber		Domain 2: Threat
Risk Management			Intelligence &
	& Oversight		Collaboration
	Governance			Threat
	Governance			Intelligence
				Intelligence
	Risk			Monitoring and
	Management			Analyzing

Domain 3:

Cybersecurity

Controls

Preventative

Controls

Detective

Controls

	Domain 4:		Domain 5: Cyber
	External		Domain 5: Cyber
	External	Incident Management
Dependency		Incident Management
Dependency			and Resilience
Management			and Resilience
Management
				Incident
				Incident
	Connections			Resilience
	Connections			Planning and
				Planning and
				Strategy
	Relationship			Detection,
	Relationship			Response, and
	Management			Response, and
	Management			Mitigation
				Mitigation

Resources

Information

Sharing

Corrective

Controls

Escalation and

Reporting

Training and

Culture

June 2015

FFIEC Cybersecurity Assessment Tool	Overview for CEOs and Boards of Directors

Management can review the institution’s Inherent Risk Profile in relation to its Cybersecurity Maturity results for each domain to understand whether they are aligned. The following table depicts the relationship between an institution’s Inherent Risk Profile and its domain Maturity Levels, as there is no single expected level for an institution. In general, as inherent risk rises, an institution’s maturity levels should increase. An institution’s inherent risk profile and maturity levels will change over time as threats, vulnerabilities, and operational environments change. Thus, management should consider reevaluating the institution’s inherent risk profile and cybersecurity maturity periodically and when planned changes can affect its inherent risk profile (e.g., launching new products or services, new connections).

Risk/Maturity			Inherent Risk Levels
Relationship
		Least	Minimal	Moderate	Significant	Most
Cybersecurity Maturity Level for		Innovative
	Each Domain	Advanced
		Intermediate
		Evolving
		Baseline
		Baseline

Management can then decide what actions are needed either to affect the inherent risk profile or to achieve a desired state of maturity. On an ongoing basis, management may use the Assessment to identify changes to the institution’s inherent risk profile when new threats arise or when considering changes to the business strategy, such as expanding operations, offering new products and services, or entering into new third-party relationships that support critical activities. Consequently, management can determine whether additional risk management practices or controls are needed to maintain or augment the institution’s cybersecurity maturity.

Supporting Implementation

An essential part of implementing the Assessment is to validate the institution’s process and findings and the effectiveness and sufficiency of the plans to address any identified weaknesses. The next section provides some questions to assist management and the board when using the Assessment.

Assess

maturity and inherent risk

	Reevaluate	Identify gaps
	Reevaluate	in alignment
		in alignment

Cybersecurity Management &

Oversight

• What are the potential cyber threats to the	Implement	Determine
• What are the potential cyber threats to the	plans to	Determine
institution?	attain and	desired
	attain and	state of
	sustain

• Is the institution a direct target of attacks?	maturity	maturity
	maturity

•Is the institution’s cybersecurity

preparedness receiving the appropriate level of time and attention from management and the board or an appropriate board committee?

June 2015

FFIEC Cybersecurity Assessment Tool	Overview for CEOs and Boards of Directors

•Do the institution’s policies and procedures demonstrate management’s commitment to sustaining appropriate cybersecurity maturity levels?

•What is the ongoing process for gathering, monitoring, analyzing, and reporting risks?

•Who is accountable for assessing and managing the risks posed by changes to the business strategy or technology?

•Are the accountable individuals empowered with the authority to carry out these responsibilities?

•Do the inherent risk profile and cybersecurity maturity levels meet management’s business and risk management expectations? If there is misalignment, what are the proposed plans to bring them into alignment?

•How can management and the board, or an appropriate board committee, make this process part of the institution’s enterprise-wide governance framework?

Inherent Risk Profile

•What is the process for gathering and validating the information for the inherent risk profile and cybersecurity maturity?

•How can management and the board, or an appropriate board committee, support improvements to the institution’s process for conducting the Assessment?

•What do the results of the Assessment mean to the institution as it looks at its overall risk profile?

•What are the institution’s areas of highest inherent risk?

•Is management updating the institution’s inherent risk profile to reflect changes in activities, services, and products?

Cybersecurity Maturity

•How effective are the institution’s risk management activities and controls identified in the Assessment?

•Are there more efficient or effective means for attaining or improving the institution’s risk management and controls?

•What third parties does the institution rely on to support critical activities?

•What is the process to oversee third parties and understand their inherent risks and cybersecurity maturity?

•How does management validate the type and volume of attacks?

•Is the institution sharing threat information with peers, law enforcement, and critical third parties through information-sharing procedures?

Summary

FFIEC has developed the Assessment to assist management and the board, or an appropriate board committee, in assessing their institution’s cybersecurity preparedness and risk. For more information and additional questions to consider, refer to the FFIEC Cybersecurity Assessment General Observations on the FFIEC’s Web site.

June 2015

OMB Control 1557-0328

Expiration Date: December 31, 2015

FFIEC

Cybersecurity Assessment Tool

June 2015

FFIEC Cybersecurity Assessment Tool	Contents
Contents
Contents	i
User’s Guide	1
Overview	1
Background	2
Completing the Assessment	2
Part One: Inherent Risk Profile	3
Part Two: Cybersecurity Maturity	5
Interpreting and Analyzing Assessment Results	8
Resources	10
Inherent Risk Profile	11
Cybersecurity Maturity	19
Domain 1: Cyber Risk Management and Oversight	19
Domain 2: Threat Intelligence and Collaboration	30
Domain 3: Cybersecurity Controls	34
Domain 4: External Dependency Management	47
Domain 5: Cyber Incident Management and Resilience	51

Additional Resources

Overview for Chief Executive Officers and Boards of Directors

Appendix A: Mapping Baseline Statements to FFIEC IT Examination Handbook

Appendix B: Mapping Cybersecurity Assessment Tool to NIST Cybersecurity Framework

Appendix C: Glossary

June 2015

FFIEC Cybersecurity Assessment Tool

User’s Guide

Overview

The content of the Assessment is consistent with the principles of the FFIEC Information Technology Examination Handbook (IT Handbook) and the National Institute of Standards and Technology (NIST) Cybersecurity Framework,2 as well as industry accepted cybersecurity

practices. The Assessment provides institutions with a repeatable and measureable process to inform management of their institution’s risks and cybersecurity preparedness.

The Assessment consists of two parts: Inherent Risk Profile and Cybersecurity Maturity. The

Inherent Risk Profile identifies the institution’s inherent risk before implementing controls. The Cybersecurity Maturity includes domains, assessment factors, components, and individual

declarative statements across five maturity levels to identify specific controls and practices that are in place. While management can determine the institution’s maturity level in each domain,

the Assessment is not designed to identify an overall cybersecurity maturity level.

To complete the Assessment, management first assesses the institution’s inherent risk profile

based on five categories:

∙Technologies and Connection Types

∙Delivery Channels

∙Online/Mobile Products and Technology Services

∙Organizational Characteristics

∙External Threats

Management then evaluates the institution’s Cybersecurity Maturity level for each of five

domains:

∙Cyber Risk Management and Oversight

∙Threat Intelligence and Collaboration

∙Cybersecurity Controls

∙External Dependency Management

∙Cyber Incident Management and Resilience

June 2015

FFIEC Cybersecurity Assessment Tool

User’s Guide

By reviewing both the institution’s inherent risk profile and maturity levels across the domains,

management can determine whether its maturity levels are appropriate in relation to its risk. If

not, the institution may take action either to reduce the level of risk or to increase the levels of maturity. This process is intended to complement, not replace, an institution’s risk management

process and cybersecurity program.

Background

The Assessment is based on the cybersecurity assessment that the FFIEC members piloted in

2014, which was designed to evaluate community institutions’ preparedness to mitigate cyber risks. NIST defines cybersecurity as “the process of protecting information by preventing, detecting, and responding to attacks.” As part of cybersecurity, institutions should consider

managing internal and external threats and vulnerabilities to protect infrastructure and information assets. The definition builds on information security as defined in FFIEC guidance.

Cyber incidents can have financial, operational, legal, and reputational impact. Recent high- profile cyber attacks demonstrate that cyber incidents can significantly affect capital and earnings. Costs may include forensic investigations, public relations campaigns, legal fees, consumer credit monitoring, and technology changes. As such, cybersecurity needs to be

integrated throughout an institution as part of enterprise-wide governance processes, information security, business continuity, and third-party risk management. For example, an institution’s

cybersecurity policies may be incorporated within the information security program. In addition, cybersecurity roles and processes referred to in the Assessment may be separate roles within the security group (or outsourced) or may be part of broader roles across the institution.

Completing the Assessment

The Assessment is designed to provide a measurable and repeatable process to assess an institution’s level of cybersecurity risk and preparedness. Part one of this Assessment is the

Inherent Risk Profile, which identifies an institution’s inherent risk relevant to cyber risks. Part two is the Cybersecurity Maturity, which determines an institution’s current state of

cybersecurity preparedness represented by maturity levels across five domains. For this Assessment to be an effective risk management tool, an institution may want to complete it periodically and as significant operational and technological changes occur.

Cyber risk programs build upon and align existing information security, business continuity, and disaster recovery programs. The Assessment is intended to be used primarily on an enterprise- wide basis and when introducing new products and services as follows:

∙Enterprise-wide. Management may review the Inherent Risk Profile and the declarative statements to understand which policies, procedures, processes, and controls are in place enterprise-wide and where gaps may exist. Following this review, management can determine appropriate maturity levels for the institution in each domain or the target state for Cybersecurity Maturity. Management can then develop action plans for achieving the target state.

∙New products, services, or initiatives. Using the Assessment before launching a new product, service, or initiative can help management understand how these might affect the institution’s inherent risk profile and resulting desired maturity levels.

June 2015

FFIEC Cybersecurity Assessment Tool

User’s Guide

Part One: Inherent Risk Profile

Part one of the Assessment identifies the institution’s inherent risk. The Inherent Risk Profile identifies activities, services, and products organized in the following categories:

∙Technologies and Connection Types. Certain types of connections and technologies may pose a higher inherent risk depending on the complexity and maturity, connections, and nature of the specific technology products or services. This category includes the number of Internet service provider (ISP) and third-party connections, whether systems are hosted internally or outsourced, the number of unsecured connections, the use of wireless access, volume of network devices, end-of-life systems, extent of cloud services, and use of personal devices.

∙Delivery Channels. Various delivery channels for products and services may pose a higher inherent risk depending on the nature of the specific product or service offered. Inherent risk increases as the variety and number of delivery channels increases. This category addresses whether products and services are available through online and mobile delivery channels and the extent of automated teller machine (ATM) operations.

∙Online/Mobile Products and Technology Services. Different products and technology services offered by institutions may pose a higher inherent risk depending on the nature of the specific product or service offered. This category includes various payment services, such as debit and credit cards, person-to-person payments, originating automated clearing house (ACH), retail wire transfers, wholesale payments, merchant remote deposit capture, treasury services and clients and trust services, global remittances, correspondent banking, and merchant acquiring activities. This category also includes consideration of whether the institution provides technology services to other organizations.

∙Organizational Characteristics. This category considers organizational characteristics, such as mergers and acquisitions, number of direct employees and cybersecurity contractors, changes in security staffing, the number of users with privileged access, changes in information technology (IT) environment, locations of business presence, and locations of operations and data centers.

∙External Threats. The volume and type of attacks (attempted or successful) affect an institution’s inherent risk exposure. This category considers the volume and sophistication of the attacks targeting the institution.

Risk Levels

Risk Levels incorporate the type, volume, and complexity of the institution’s operations and

threats directed at the institution. Inherent risk does not include mitigating controls.

June 2015

FFIEC Cybersecurity Assessment Tool

User’s Guide

Select the most appropriate inherent risk level for each activity, service, or product within each category. The levels range from Least Inherent Risk to Most Inherent Risk (Figure 1) and incorporate a wide range of descriptions. The risk levels provide parameters for determining the inherent risk for each category. These parameters are not intended to be rigid but rather instructive to assist with assessing a risk level within each activity, service, or product. For situations where the risk level falls between two levels, management should select the higher risk level.

Figure 1: Inherent Risk Profile Layout

Risk Levels

Activity, Service, or Product

			Risk Levels
Category: Technologies and
Connection Types	Least	Minimal	Moderate	Significant	Most

Total number of Internet service provider	No connections	Minimal complexity (1–	Moderate complexity	Significant complexity	Substantial complexity
(ISP) connections (including branch		20 connections)	(21–100 connections)	(101–200 connections)	(>200 connections)
connections)

Unsecured external connections, number	None	Few instances of	Several instances of	Significant instances of	Substantial instances of
of connections not users (e.g., file transfer		unsecured	unsecured connections	unsecured connections	unsecured connections
protocol (FTP), Telnet, rlogin)		connections (1–5)	(6–10)	(11–25)	(>25)

Wireless network access	No wireless access	Separate access	Guest and corporate	Wireless corporate	Wireless corporate
		points for guest	wireless network access	network access;	network access; all
		wireless and corporate	are logically separated;	significant number of	employees have
		wireless	limited number of users	users and access points	access; substantial
			and access points (1–	(251–1,000 users; 26–	number of access
			250 users; 1–25 access	100 access points)	points (>1,000 users;
			points)		>100 access points)

Determine Inherent Risk Profile

Management can determine the institution’s overall Inherent Risk Profile based on the number of applicable statements in each risk level for all activities (Figure 2). For example, when a majority of activities, products, or services fall within the Moderate Risk Level, management may determine that the institution has a Moderate Inherent Risk Profile. Each category may, however, pose a different level of inherent risk. Therefore, in addition to evaluating the number of instances that an institution selects for a specific risk level, management may also consider evaluating whether the specific category poses additional risk.

Figure 2: Inherent Risk Summary

Risk Levels

Least

Minimal

Moderate

Significant

Most

Number of Statements Selected in Each

Risk Level

Based on Individual Risk Levels	Least	Minimal	Moderate	Significant	Most
Selected, Assign an Inherent Risk Profile

The following includes definitions of risk levels.

∙Least Inherent Risk. An institution with a Least Inherent Risk Profile generally has very limited use of technology. It has few computers, applications, systems, and no connections. The variety of products and services are limited. The institution has a small geographic footprint and few employees.

∙Minimal Inherent Risk. An institution with a Minimal Inherent Risk Profile generally has

limited complexity in terms of the technology it uses. It offers a limited variety of less risky products and services. The institution’s mission-critical systems are outsourced. The institution primarily uses established technologies. It maintains a few types of connections to customers and third parties with limited complexity.

∙Moderate Inherent Risk. An institution with a Moderate Inherent Risk Profile generally uses technology that may be somewhat complex in terms of volume and sophistication. The

June 2015

FFIEC Cybersecurity Assessment Tool

User’s Guide

institution may outsource mission-critical systems and applications and may support elements internally. There is a greater variety of products and services offered through diverse channels.

∙Significant Inherent Risk. An institution with a Significant Inherent Risk Profile generally uses complex technology in terms of scope and sophistication. The institution offers high- risk products and services that may include emerging technologies. The institution may host a significant number of applications internally. The institution allows either a large number of personal devices or a large variety of device types. The institution maintains a substantial number of connections to customers and third parties. A variety of payment services are offered directly rather than through a third party and may reflect a significant level of transaction volume.

∙Most Inherent Risk. An institution with a Most Inherent Risk Profile uses extremely complex technologies to deliver myriad products and services. Many of the products and services are at the highest level of risk, including those offered to other organizations. New and emerging technologies are utilized across multiple delivery channels. The institution may outsource some mission-critical systems or applications, but many are hosted internally. The institution maintains a large number of connection types to transfer data with customers and third parties.

Part Two: Cybersecurity Maturity

After determining the Inherent Risk Profile, the institution transitions to the Cybersecurity Maturity part of the Assessment to determine the institution’s maturity level within each of the

following five domains:

∙Domain 1: Cyber Risk Management and Oversight

∙Domain 2: Threat Intelligence and Collaboration

∙Domain 3: Cybersecurity Controls

∙Domain 4: External Dependency Management

∙Domain 5: Cyber Incident Management and Resilience

Domains, Assessment Factors, Components, and Declarative Statements

Within each domain are assessment factors and contributing components. Under each component, there are declarative statements describing an activity that supports the assessment factor at that level of maturity. Table 1 provides definitions for each domain and the underlying assessment factors.

June 2015

	FFIEC Cybersecurity Assessment Tool	User’s Guide
Table 1: Domains and Assessment Factors Defined

Domains and Assessment Factors Defined

Domain 1

Cyber Risk Management and Oversight

Cyber risk management and oversight addresses the board of directors’ (board’s) oversight and management’s development and implementation of an effective enterprise-wide cybersecurity program with comprehensive policies and procedures for establishing appropriate accountability and oversight.

Assessment Factors

Governance includes oversight, strategies, policies, and IT asset management to implement an effective governance of the cybersecurity program.

Risk Management includes a risk management program, risk assessment process, and audit function to effectively manage risk and assess the effectiveness of key controls.

Resources include staffing, tools, and budgeting processes to ensure the institution’s staff or external resources have knowledge and experience commensurate with the institution’s risk profile.

Training and Culture includes the employee training and customer awareness programs contributing to an organizational culture that emphasizes the mitigation of cybersecurity threats.

Domain 2

Threat Intelligence and Collaboration

Threat intelligence and collaboration includes processes to effectively discover, analyze, and understand cyber threats, with the capability to share information internally and with appropriate third parties.

Assessment Factors

Threat Intelligence refers to the acquisition and analysis of information to identify, track, and predict cyber capabilities, intentions, and activities that offer courses of action to enhance decision making.

Monitoring and Analyzing refers to how an institution monitors threat sources and what analysis may be performed to identify threats that are specific to the institution or to resolve conflicts in the different threat intelligence streams.

Information Sharing encompasses establishing relationships with peers and information-sharing forums and how threat information is communicated to those groups as well as internal stakeholders.

Domain 3

Cybersecurity Controls

Cybersecurity controls are the practices and processes used to protect assets, infrastructure, and information by strengthening the institution’s defensive posture through continuous, automated protection and monitoring.

Assessment Factors

Preventative Controls deter and prevent cyber attacks and include infrastructure management, access management, device and end-point security, and secure coding.

Detective Controls include threat and vulnerability detection, anomalous activity detection, and event detection, may alert the institution to network and system irregularities that indicate an incident has or may occur.

Corrective Controls are utilized to resolve system and software vulnerabilities through patch management and remediation of issues identified during vulnerability scans and penetration testing.

Domain 4

External Dependency Management

External dependency management involves establishing and maintaining a comprehensive program to oversee and manage external connections and third-party relationships with access to the institution’s technology assets and

information.

Assessment Factors

Connections incorporate the identification, monitoring, and management of external connections and data flows to third parties.

Relationship Management includes due diligence, contracts, and ongoing monitoring to help ensure controls complement the institution’s cybersecurity program.

June 2015

FFIEC Cybersecurity Assessment Tool

User’s Guide

Domain 5

Cyber Incident Management and Resilience

Cyber incident management includes establishing, identifying, and analyzing cyber events; prioritizing the institution’s containment or mitigation; and escalating information to appropriate stakeholders. Cyber resilience

encompasses both planning and testing to maintain and recover ongoing operations during and following a cyber incident.

Assessment Factors

Incident Resilience Planning & Strategy incorporates resilience planning and testing into existing business continuity and disaster recovery plans to minimize service disruptions and the destruction or corruption of data.

Detection, Response, & Mitigation refers to the steps management takes to identify, prioritize, respond to, and mitigate the effects of internal and external threats and vulnerabilities.

Escalation & Reporting ensures key stakeholders are informed about the impact of cyber incidents, and regulators, law enforcement, and customers are notified as required.

Each maturity level includes a set of declarative statements that describe how the behaviors, practices, and processes of an institution can consistently produce the desired outcomes.

Figure 3: Cybersecurity Maturity Levels

Innovative

Advanced

Intermediate

The Assessment starts at the Baseline maturity level and progresses to the highest maturity, the Innovative level (Figure 3). Table 2 provides definitions for each of the maturity levels, which are cumulative.

Table 2: Maturity Levels Defined

Evolving

Baseline

	Maturity Levels Defined
Baseline	Baseline maturity is characterized by minimum expectations required by law and regulations or
	recommended in supervisory guidance. This level includes compliance-driven objectives.
	Management has reviewed and evaluated guidance.

Evolving	Evolving maturity is characterized by additional formality of documented procedures and policies
	that are not already required. Risk-driven objectives are in place. Accountability for cybersecurity is
	formally assigned and broadened beyond protection of customer information to incorporate
	information assets and systems.

Intermediate	Intermediate maturity is characterized by detailed, formal processes. Controls are validated and
	consistent. Risk-management practices and analysis are integrated into business strategies.

Advanced	Advanced maturity is characterized by cybersecurity practices and analytics that are integrated
	across lines of business. Majority of risk-management processes are automated and include
	continuous process improvement. Accountability for risk decisions by frontline businesses is
	formally assigned.

Innovative	Innovative maturity is characterized by driving innovation in people, processes, and technology for
	the institution and the industry to manage cyber risks. This may entail developing new controls, new
	tools, or creating new information-sharing groups. Real-time, predictive analytics are tied to
	automated responses.

June 2015

FFIEC Cybersecurity Assessment Tool

User’s Guide

Completing the Cybersecurity Maturity

Each domain and maturity level has a set of declarative statements organized by assessment factor. To assist the institution’s ability to follow common themes across maturity levels,

statements are categorized by components. The components are groups of similar declarative statements to make the Assessment easier to use (Figure 4).

Figure 4: Cybersecurity Maturity


				Domain
Maturity				Domain 1: Cyber Risk Management and Oversight
Level
Level				Assessment Factor: Governance	Assessment
				Assessment Factor: Governance

			Y, N		Factor
					Factor
	OVERSIGHT	Baseline		Designated members of management are held accountable by the board or an appropriate board committee for implementing and
	OVERSIGHT	Baseline		board or an appropriate board committee at least annually. (FFIEC Information Security Booklet, page 5)
				managing the information security and business continuity programs. (FFIEC Information Security Booklet, page 3)
				Information security risks are discussed in management meetings when prompted by highly visible cyber events or regulatory
				alerts. (FFIEC Information Security Booklet, page 6)

				Management provides a written report on the overall status of the information security and business continuity programs to the

				The budgeting process includes information security related expenses and tools. (FFIEC E-Banking Booklet, page 20)
				Management considers the risks posed by other critical infrastructures (e.g., telecommunications, energy) to the institution. (FFIEC
				Business Continuity Planning Booklet, page J-12)		Declarative
						Declarative

		Evolving		At least annually, the board or an appropriate board committee reviews and approves the institution’s cybersecurity program. Statement
				Management is responsible for ensuring compliance with legal and regulatory requirements related to cybersecurity.
				Cybersecurity tools and staff are requested through the budget process.
Component				There is a process to formally discuss and estimate potential expenses associated with cybersecurity incidents as part of the
				budgeting process.

Management determines which declarative statements best fit the current practices of the

institution. All declarative statements in each maturity level, and previous levels, must be attained and sustained to achieve that domain’s maturity level. While management can determine the institution’s maturity level in each domain, the Assessment is not designed to

identify an overall cybersecurity maturity level.

Management may determine that a declarative statement has been sufficiently sustained based on proven results. Certain declarative statements may not apply to all institutions if the product, service, or technology is not offered or used. Declarative statements that may not be applicable to all institutions are clearly designated and would not affect the determination of the specific maturity level.

Interpreting and Analyzing Assessment Results

Management can review the institution’s Inherent Risk Profile in relation to its Cybersecurity Maturity results for each domain to understand whether they are aligned.

Table 3 depicts the relationship between an institution’s Inherent Risk Profile and its domain

Maturity Levels, as there is no single expected level for an institution. In general, as inherent risk rises, an institution’s maturity levels should increase. An institution’s inherent risk profile and

maturity levels will change over time as threats, vulnerabilities, and operational environments change. Thus, management should consider reevaluating its inherent risk profile and cybersecurity maturity periodically and when planned changes can affect its inherent risk profile (e.g., launching new products or services, new connections).

June 2015

FFIEC Cybersecurity Assessment Tool

User’s Guide

Table 3: Risk/Maturity Relationship

				Inherent Risk Levels
		Least	Minimal	Moderate	Significant	Most
for Each		Innovative
for Each		Advanced
Level		Advanced
Level
Maturity	Domain	Intermediate
Maturity	Domain
Cybersecurity		Evolving
		Baseline

If management determines that the institution’s maturity levels are not appropriate in relation to the inherent risk profile, management should consider reducing inherent risk or developing a strategy to improve the maturity levels. This process includes

∙determining target maturity levels.

∙conducting a gap analysis.

∙prioritizing and planning actions.

∙implementing changes.

∙reevaluating over time.

∙communicating the results.

Management can set target maturity levels for each domain or across domains based on the institution’s business objectives and risk appetite. Management can conduct a gap analysis

between the current and target maturity levels and initiate improvements based on the gaps. Each declarative statement can represent a range of strategies and processes that have enterprise-wide impact. For example, declarative statements not yet attained provide insights for policies,

processes, procedures, and controls that may improve risk management in relation to a specific risk or the institution’s overall cybersecurity preparedness.

Using the maturity levels in each domain, management can identify potential actions that would increase the institution’s overall cybersecurity preparedness. Management can review declarative

statements at maturity levels beyond what the institution has achieved to determine the actions needed to reach the next level and implement changes to address gaps. Management’s periodic

reevaluations of the inherent risk profile and maturity levels may further assist the institution in

maintaining an appropriate level of cybersecurity preparedness. In addition, management may also seek an independent validation, such as by the internal audit function, of the institution’s

Assessment process and findings.

June 2015

FFIEC Cybersecurity Assessment Tool

User’s Guide

The Assessment results should be communicated to the chief executive officer (CEO) and board. More information and questions to consider are contained in the “Overview for Chief Executive

Officers and Boards of Directors.”

Resources

In addition to the “Overview for Chief Executive Officers and Boards of Directors,” the FFIEC

has released the following documents to assist institutions with the Cybersecurity Assessment Tool.

∙Appendix A: Mapping Baseline Statements to FFIEC IT Examination Handbook

∙Appendix B: Mapping Cybersecurity Assessment Tool to NIST Cybersecurity Framework

∙Appendix C: Glossary

June 2015

	FFIEC Cybersecurity Assessment Tool						Inherent Risk Profile

Inherent Risk Profile

	Category: Technologies and			Risk Levels
	Category: Technologies and

	Connection Types	Least	Minimal	Moderate	Significant		Most


Total number of Internet service		No connections	Minimal complexity	Moderate complexity	Significant		Substantial complexity
provider (ISP) connections (including			(1–20 connections)	(21–100 connections)	complexity (101–200		(>200 connections)
branch connections)					connections)

Unsecured external connections,		None	Few instances of	Several instances of	Significant instances		Substantial instances of
number of connections not users			unsecured	unsecured	of unsecured		unsecured connections
(e.g., file transfer protocol (FTP),			connections (1–5)	connections (6–10)	connections (11–25)	(>25)
Telnet, rlogin)

Wireless network access		No wireless access	Separate access	Guest and corporate	Wireless corporate		Wireless corporate
			points for guest	wireless network	network access;		network access; all
			wireless and	access are logically	significant number of		employees have access;
			corporate wireless	separated; limited	users and access		substantial number of
				number of users and	points (251–1,000		access points (>1,000
				access points (1–250	users; 26–100		users; >100 access
				users; 1–25 access	access points)		points)
				points)

Personal devices allowed to connect		None	Only one device type	Multiple device types	Multiple device types		Any device type used;
to the corporate network			available; available	used; available to	used; available to		available to >25% of
			to <5% of employees	<10% of employees	<25% of authorized		employees (staff,
			(staff, executives,	(staff, executives,	employees (staff,		executives, managers)
			(staff, executives,	managers) and	executives,		and board; all
			managers); e-mail	managers) and	executives,		and board; all
			managers); e-mail	board; e-mail access	managers) and		applications accessed
			access only	board; e-mail access	managers) and		applications accessed
			access only	only	board; e-mail and
				only	board; e-mail and
					some applications
					accessed

Third parties, including number of		No third parties and	Limited number of	Moderate number of	Significant number of		Substantial number of
organizations and number of		no individuals from	third parties (1–5)	third parties (6–10)	third parties (11–25)		third parties (>25) and
individuals from vendors and		third parties with	and limited number	and moderate	and significant		substantial number of
subcontractors, with access to		access to systems	of individuals from	number of individuals	number of individuals		individuals from third
internal systems (e.g., virtual private			third parties (<50)	from third parties	from third parties		parties (>1,500) with
network, modem, intranet, direct			with access; low	(50–500) with	(501–1,500) with		access; high complexity
connection)			complexity in how	access; some	access; high level of		in how they access
			they access systems	complexity in how	complexity in terms		systems
				they access systems	of how they access
					systems

June 2015

FFIEC Cybersecurity Assessment Tool

Inherent Risk Profile

Category: Technologies and

Risk Levels

Connection Types

Least

Minimal

Moderate

Significant

Most

Wholesale customers with dedicated

None

Few dedicated

Several dedicated

Significant number of

Substantial number of

connections

dedicated

dedicated connections

(between 1–5)

(between 6–10)

connections

(>25)

(between 11–25)

Internally hosted and developed or

No applications

Few applications

Several applications

Significant number of

Substantial number of

modified vendor applications

(between 1–5)

(between 6–10)

applications

applications and

supporting critical activities

(between 11–25)

complexity (>25)

Internally hosted, vendor-developed

Limited applications

Few applications (6–

Several applications

Significant number of

Substantial number of

applications supporting critical

(0–5)

30)

(31–75)

applications (76–200)

applications and

activities

complexity (>200)

User-developed technologies and

No user-developed

1–100 technologies

101–500

501–2,500

>2,500 technologies

user computing that support critical

technologies

activities (includes Microsoft Excel

spreadsheets and Access databases

or other user-developed tools)

End-of-life (EOL) systems

No systems

Few systems that are

Several systems that

A large number of

Majority of critical

(hardware or

at risk of EOL and

will reach EOL within

systems that support

operations dependent

software) that are

none that support

2 years and some

critical operations at

on systems that have

past EOL or at risk of

critical operations

that support critical

EOL or are at risk of

reached EOL or will

nearing EOL within 2

operations

reaching EOL in 2

reach EOL within the

years

next 2 years or an

unknown number of

systems that have

reached EOL

Open Source Software (OSS)

No OSS

Limited OSS and

Several OSS that

Large number of

Majority of operations

none that support

support critical

OSS that support

dependent on OSS

critical operations

operations

critical operations

Network devices (e.g., servers,

Limited or no network

Few devices (250–

Several devices

Significant number of

Substantial number of

routers, and firewalls; include

devices (<250)

1,500)

(1,501–25,000)

devices (25,001–

devices (>50,000)

physical and virtual)

50,000)

Third-party service providers storing

No third parties that

1–25 third parties

26–100 third parties

101–200 third parties

>200 third parties that

and/or processing information that

support critical

that support critical

support critical activities;

support critical activities (Do not have

activities

activities; 1 or more

1 or more are foreign-

access to internal systems, but the

are foreign-based

based

institution relies on their services)

June 2015

FFIEC Cybersecurity Assessment Tool

Inherent Risk Profile

Category: Technologies and

Risk Levels

Connection Types

Least

Minimal

Moderate

Significant

Most

Cloud computing services hosted

No cloud providers

Few cloud providers;

Several cloud

Significant number of

Substantial number of

externally to support critical activities

private cloud only (1–

providers (4–7)

cloud providers (8–

cloud providers (>10);

10); cloud-provider

cloud-provider locations

locations used

used include

include international;

international; use of

use of public cloud

public cloud

Category: Delivery Channels

Risk Levels

Least

Minimal

Moderate

Significant

Most

Online presence (customer)	No Web-facing	Serves as an	Serves as a delivery	Serves as a delivery	Internet applications
Online presence (customer)	No Web-facing	Serves as an	Serves as a delivery	Serves as a delivery	Internet applications
	applications or social	informational Web	channel for retail	channel for	serve as a channel to
	media presence	site or social media	online banking; may	wholesale	wholesale customers to
		page (e.g., provides	communicate to	customers; may	manage large value
		branch and ATM	customers through	include retail account	assets
		locations and	social media	origination
		marketing materials)

Mobile presence	None	SMS text alerts or	Mobile banking	Mobile banking	Full functionality,
		notices only;	application for retail	application includes	including originating new
		browser-based	customers (e.g., bill	external transfers	transactions (e.g., ACH,
		access	payment, mobile	(e.g., for corporate	wire)
			check capture,	clients, recurring
			internal transfers	external transactions)
			only)

Automated Teller Machines (ATM)	No ATM services	ATM services offered	ATM services	ATM services	ATM services managed
(Operation)		but no owned	managed by a third	managed internally;	internally; ATM services
		machines	party; ATMs at local	ATMs at U.S.	provided to other
			and regional	branches and retail	financial institutions;
			branches; cash	locations; cash	ATMs at domestic and
			reload services	reload services	international branches
			outsourced	outsourced	and retail locations;
					cash reload services
					managed internally

June 2015

	FFIEC Cybersecurity Assessment Tool	Inherent Risk Profile

Category: Online/Mobile Products and Technology Services

Risk Levels

Least

Minimal

Moderate

Significant

Most

Issue debit or credit cards	Do not issue debit or	Issue debit and/or	Issue debit or credit	Issue debit or credit	Issue debit or credit
Issue debit or credit cards	Do not issue debit or	Issue debit and/or	Issue debit or credit	Issue debit or credit	Issue debit or credit
	credit cards	credit cards through	cards through a third	cards directly;	cards directly; >100,000
		a third party; <10,000	party; between	between 50,000–	cards outstanding; issue
		cards outstanding	10,000–50,000 cards	100,000 cards	cards on behalf of other
			outstanding	outstanding	financial institutions

Prepaid cards	Do not issue prepaid	Issue prepaid cards	Issue prepaid cards	Issue prepaid cards	Issue prepaid cards
	cards	through a third party;	through a third party;	through a third party;	internally, through a
		<5,000 cards	5,000–10,000 cards	10,001–20,000 cards	third party, or on behalf
		outstanding	outstanding	outstanding	of other financial
					institutions; >20,000
					cards outstanding

Emerging payments technologies	Do not accept or use	Indirect acceptance	Direct acceptance or	Direct acceptance or	Direct acceptance of
(e.g., digital wallets, mobile wallets)	emerging payments	or use of emerging	use of emerging	use of emerging	emerging payments
	technologies	payments	payments	payments	technologies; moderate
		technologies	technologies; partner	technologies; small	transaction volume
		(customer use may	or co-brand with non-	transaction volume;	and/or foreign payments
		affect deposit or	bank providers;	no foreign payments
		credit account)	limited transaction
			volume

Person-to-person payments (P2P)	Not offered	Customers allowed	Customers allowed to	Customers allowed	Customers allowed to
		to originate	originate payments;	to originate	request payment or to
		payments; used by	used by 1,000–5,000	payments; used by	originate payment; used
		<1,000 customers or	customers or monthly	5,001–10,000	by >10,000 customers
		monthly transaction	transaction volume is	customers or monthly	or monthly transaction
		volume is <50,000	between 50,000–	transaction volume is	volume >1 million
			100,000	between 100,001–
				1 million

Originating ACH payments	No ACH origination	Originate ACH	Originate ACH debits	Sponsor third-party	Sponsor nested third-
		credits; daily volume	and credits; daily	payment processor;	party payment
		<3% of total assets	volume is 3%–5% of	originate ACH debits	processors; originate
			total assets	and credits with daily	debits and credits with
				volume 6%–25% of	daily volume that is
				total assets	>25% of total assets

Originating wholesale payments (e.g.,	Do not originate	Daily originated	Daily originated	Daily originated	Daily originated
CHIPS)	wholesale payments	wholesale payment	wholesale payment	wholesale payment	wholesale payment
		volume <3% of total	volume 3%–5% of	volume 6%–25% of	volume >25% of total
		assets	total assets	total assets	assets

June 2015

FFIEC Cybersecurity Assessment Tool

Inherent Risk Profile

Category: Online/Mobile Products

Risk Levels

and Technology Services

Least

Minimal

Moderate

Significant

Most

Wire transfers

Not offered

In person wire

In person, phone,

Multiple request

requests only;

and fax wire

channels (e.g.,

channels (e.g., online,

domestic wires only;

requests; domestic

online, text, e-mail,

text, e-mail, fax, and

daily wire volume

fax, and phone); daily

phone); daily domestic

<3% of total assets

3%–5% of total

domestic wire

wire volume >25% of

assets; international

volume 6%–25% of

total assets; daily

daily wire volume

total assets; daily

international wire

<3% of total assets

international wire

volume >10% of total

volume 3%–10% of

assets

total assets

Merchant remote deposit capture

Do not offer Merchant

<100 merchant

100–500 merchant

501–1,000 merchant

>1,000 merchant clients;

(RDC)

RDC

clients; daily volume

daily volume of

of transactions is

transactions is >25% of

<3% of total assets

3%–5% of total

6%–25% of total

total assets

assets

Global remittances

Do not offer global

Gross daily

Gross daily transaction

remittances

transaction volume is

volume is >25% of total

<3% of total assets

3%–5% of total

6%–25% of total

assets

Treasury services and clients

No treasury

Limited services

Services offered

Multiple services offered

management

offered; number of

include lockbox, ACH

include accounts

including currency

services are offered

clients is <1,000

origination, and

receivable solutions

services, online

remote deposit

and liquidity

investing, and

capture; number of

management;

investment sweep

clients is between

number of clients is

accounts; number of

1,000–10,000

between 10,001–

clients is >20,000

20,000

Trust services

Trust services are not

Trust services are

Trust services

Trust services provided

offered

offered through a

provided directly;

directly; assets under

third-party provider;

portfolio of assets

assets under

management total

assets under

under management

management total

>$10 billion

management total

total $500 million–

$1 billion–$10 billion

<$500 million

$999 million

Act as a correspondent bank

Do not act as a

Act as a

Act as a correspondent

(Interbank transfers)

correspondent bank

bank for >500

for <100 institutions

for 100–250

for 251–500

institutions

June 2015

FFIEC Cybersecurity Assessment Tool

Inherent Risk Profile

Category: Online/Mobile Products

Risk Levels

and Technology Services

Least

Minimal

Moderate

Significant

Most

Merchant acquirer (sponsor

Do not act as a

Act as a merchant

merchants or card processor activity

merchant acquirer

acquirer; <1,000

acquirer; outsource

acquirer and card

into the payment system)

merchants

card payment

payment processor;

processing; 1,000–

10,001–100,000

>100,000 merchants

10,000 merchants

merchants

Host IT services for other

Do not provide IT

Host or provide IT

organizations (either through joint

services for other

services for affiliated

services for up to 25

services for 26–50

services for >50

systems or administrative support)

organizations

unaffiliated

organizations

Category: Organizational Characteristics

Risk Levels

Least

Minimal

Moderate

Significant

Most

Mergers and acquisitions (including	None planned	Open to initiating	In discussions with	A sale or acquisition	Multiple ongoing
Mergers and acquisitions (including	None planned	Open to initiating	In discussions with	A sale or acquisition	Multiple ongoing
divestitures and joint ventures)		discussions or	at least 1 party	has been publicly	integrations of
		actively seeking a		announced within the	acquisitions are in
		merger or acquisition		past year, in	process
				negotiations with 1 or
				more parties

Direct employees (including	Number of	Number of	Number of	Number of employees	Number of employees is
information technology and	employees totals <50	employees totals 50–	employees totals	totals 10,001–50,000	>50,000
cybersecurity contractors)		2,000	2,001–10,000

Changes in IT and information	Key positions filled;	Staff vacancies exist	Some turnover in	Frequent turnover in	Vacancies in senior or
security staffing	low or no turnover of	for non-critical roles	key or senior	key staff or senior	key positions for long
	personnel		positions	positions	periods; high level of
					employee turnover in IT
					or information security

Privileged access (Administrators–	Limited number of	Level of turnover in	Level of turnover in	High reliance on	High employee turnover
network, database, applications,	administrators;	administrators does	administrators	external	in network
systems, etc.)	limited or no external	not affect operations	affects operations;	administrators;	administrators; many or
	administrators	or activities; may	number of	number of	most administrators are
		utilize some external	administrators for	administrators is not	external (contractors or
		administrators	individual systems or	sufficient to support	vendors); experience in
			applications exceeds	level or pace of	network administration
			what is necessary	change	is limited

June 2015

	FFIEC Cybersecurity Assessment Tool	Inherent Risk Profile

Category: Organizational Characteristics

Risk Levels

Least

Minimal

Moderate

Significant

Most

Changes in IT environment (e.g.,

Stable IT

Infrequent or minimal

Frequent adoption of

Volume of significant

Substantial change in

network, infrastructure, critical

environment

changes in the IT

new technologies

changes is high

outsourced provider(s)

applications, technologies supporting

environment

of critical IT services;

new products or services)

large and complex

changes to the

environment occur

frequently

Locations of branches/business

1 state

1 region

1 country

1–20 countries

>20 countries

presence

Locations of operations/data centers

1 state

1 region

1 country

1–10 countries

>10 countries

Risk Levels

Category: External Threats

Least

Minimal

Moderate

Significant

Most

Attempted cyber attacks

No attempted attacks

Few attempts

Several attempts

Significant number of

Substantial number of

or reconnaissance

monthly (<100); may

monthly (100– 500);

attempts monthly

have had generic

phishing campaigns

(501–100,000); spear

(>100,000); persistent

phishing campaigns

targeting employees

phishing campaigns

attempts to attack senior

received by

or customers at the

targeting high net

management and/or

employees and

institution or third

worth customers and

network administrators;

customers

parties supporting

employees at the

frequently targeted for

critical activities; may

institution or third

DDoS attacks

have experienced an

parties supporting

attempted Distributed

critical activities;

Denial of Service

Institution specifically

(DDoS) attack within

is named in threat

the last year

reports; may have

experienced multiple

attempted DDoS

attacks within the last

year

June 2015

FFIEC Cybersecurity Assessment Tool					Inherent Risk Profile


			Risk Levels

Total	Least	Minimal	Moderate	Significant	Most

Number of Statements Selected in
Each Risk Level

Based on Individual Risk Levels	Least	Minimal	Moderate	Significant	Most
Selected, Assign an Inherent Risk
Profile

June 2015

FFIEC Cybersecurity Assessment Tool	Cybersecurity Maturity: Domain 1

Cybersecurity Maturity

Domain 1: Cyber Risk Management and Oversight

OVERSIGHT

		Assessment Factor: Governance
	Y, N
	Y, N
Baseline		Designated members of management are held accountable by the board
		or an appropriate board committee for implementing and managing the
		information security and business continuity programs. (FFIEC
		Information Security Booklet, page 3)
		Information security risks are discussed in management meetings when
		prompted by highly visible cyber events or regulatory alerts. (FFIEC
		Information Security Booklet, page 6)
		Management provides a written report on the overall status of the
		information security and business continuity programs to the board or an
		appropriate board committee at least annually. (FFIEC Information
		Security Booklet, page 5)
		The budgeting process includes information security related expenses
		and tools. (FFIEC E-Banking Booklet, page 20)
		Management considers the risks posed by other critical infrastructures
		(e.g., telecommunications, energy) to the institution. (FFIEC Business
		Continuity Planning Booklet, page J-12)

Evolving		At least annually, the board or an appropriate board committee reviews
		and approves the institution’s cybersecurity program.
		Management is responsible for ensuring compliance with legal and
		regulatory requirements related to cybersecurity.
		Cybersecurity tools and staff are requested through the budget process.
		There is a process to formally discuss and estimate potential expenses
		associated with cybersecurity incidents as part of the budgeting process.

Intermediate		The board or an appropriate board committee has cybersecurity
		expertise or engages experts to assist with oversight responsibilities.
		The standard board meeting package includes reports and metrics that
		go beyond events and incidents to address threat intelligence trends and
		the institution’s security posture.
		The institution has a cyber risk appetite statement approved by the board
		or an appropriate board committee.
		Cyber risks that exceed the risk appetite are escalated to management.
		The board or an appropriate board committee ensures management’s

June 2015

FFIEC Cybersecurity Assessment Tool	Cybersecurity Maturity: Domain 1

annual cybersecurity self-assessment evaluates the institution’s ability to meet its cyber risk management standards.

		The board or an appropriate board committee reviews and approves
		management’s prioritization and resource allocation decisions based on
		the results of the cyber assessments.
		The board or an appropriate board committee ensures management
		takes appropriate actions to address changing cyber risks or significant
		cybersecurity issues.
		The budget process for requesting additional cybersecurity staff and
		tools is integrated into business units’ budget processes.

	Advanced	The board or board committee approved cyber risk appetite statement is
		part of the enterprise-wide risk appetite statement.
		Management has a formal process to continuously improve cybersecurity
		oversight.
		The budget process for requesting additional cybersecurity staff and
		tools maps current resources and tools to the cybersecurity strategy.
		Management and the board or an appropriate board committee hold
		business units accountable for effectively managing all cyber risks
		associated with their activities.
		Management identifies root cause(s) when cyber attacks result in
		material loss.
		The board or an appropriate board committee ensures that
		management’s actions consider the cyber risks that the institution poses
		to the financial sector.

	Innovative	The board or an appropriate board committee discusses ways for
		management to develop cybersecurity improvements that may be
		adopted sector-wide.
		The board or an appropriate board committee verifies that management’s
		actions consider the cyber risks that the institution poses to other critical
		infrastructures (e.g., telecommunications, energy).

June 2015

FFIEC Cybersecurity Assessment Tool	Cybersecurity Maturity: Domain 1

STRATEGY/ POLICIES

Baseline		The institution has an information security strategy that integrates
		technology, policies, procedures, and training to mitigate risk. (FFIEC
		Information Security Booklet, page 3)
		The institution has policies commensurate with its risk and complexity
		that address the concepts of information technology risk management.
		(FFIEC Information Security Booklet, page, 16)
		The institution has policies commensurate with its risk and complexity
		that address the concepts of threat information sharing. (FFIEC E-
		Banking Booklet, page 28)
		The institution has board-approved policies commensurate with its risk
		and complexity that address information security. (FFIEC Information
		Security Booklet, page 16)
		The institution has policies commensurate with its risk and complexity
		that address the concepts of external dependency or third-party
		management. (FFIEC Outsourcing Booklet, page 2)
		The institution has policies commensurate with its risk and complexity
		that address the concepts of incident response and resilience. (FFIEC
		Information Security Booklet, page 83)
		All elements of the information security program are coordinated
		enterprise-wide. (FFIEC Information Security Booklet, page 7)

Evolving		The institution augmented its information security strategy to incorporate
		cybersecurity and resilience.
		The institution has a formal cybersecurity program that is based on
		technology and security industry standards or benchmarks.
		A formal process is in place to update policies as the institution’s inherent
		risk profile changes.

Intermediate		The institution has a comprehensive set of policies commensurate with
		its risk and complexity that address the concepts of threat intelligence.
		Management periodically reviews the cybersecurity strategy to address
		evolving cyber threats and changes to the institution’s inherent risk
		profile.
		The cybersecurity strategy is incorporated into, or conceptually fits within,
		the institution’s enterprise-wide risk management strategy.
		Management links strategic cybersecurity objectives to tactical goals.
		A formal process is in place to cross-reference and simultaneously
		update all policies related to cyber risks across business lines.

June 2015

	FFIEC Cybersecurity Assessment Tool			Cybersecurity Maturity: Domain 1


		Advanced	The cybersecurity strategy outlines the institution’s future state of
			cybersecurity with short-term and long-term perspectives.
			Industry-recognized cybersecurity standards are used as sources during
			the analysis of cybersecurity program gaps.
			The cybersecurity strategy identifies and communicates the institution’s
			role as a component of critical infrastructure in the financial services
			industry.
			The risk appetite is informed by the institution’s role in critical
			infrastructure.
			Management is continuously improving the existing cybersecurity
			program to adapt as the desired cybersecurity target state changes.

		Innovative	The cybersecurity strategy identifies and communicates the institution’s
			role as it relates to other critical infrastructures.

MANAGEMENT		Baseline	An inventory of organizational assets (e.g., hardware, software, data, and
		Baseline
			systems hosted externally) is maintained. (FFIEC Information Security
			Booklet, page 9)
			Organizational assets (e.g., hardware, systems, data, and applications)
			are prioritized for protection based on the data classification and
ASSET			business value. (FFIEC Information Security Booklet, page 12)
ASSET			Management assigns accountability for maintaining an inventory of

IT			organizational assets. (FFIEC Information Security Booklet, page 9)
IT
			A change management process is in place to request and approve
			changes to systems configurations, hardware, software, applications,
			and security tools. (FFIEC Information Security Booklet, page 56)

		Evolving	The asset inventory, including identification of critical assets, is updated
			at least annually to address new, relocated, re-purposed, and sunset
			assets.
			The institution has a documented asset life-cycle process that considers
			whether assets to be acquired have appropriate security safeguards.
			The institution proactively manages system EOL (e.g., replacement) to
			limit security risks.
			Changes are formally approved by an individual or committee with
			appropriate authority and with separation of duties.

June 2015

	FFIEC Cybersecurity Assessment Tool			Cybersecurity Maturity: Domain 1


		Intermediate	Baseline configurations cannot be altered without a formal change
			request, documented approval, and an assessment of security
			implications.
			A formal IT change management process requires cybersecurity risk to
			be evaluated during the analysis, approval, testing, and reporting of
			changes.

		Advanced	Supply chain risk is reviewed before the acquisition of mission-critical
			information systems including system components.
			Automated tools enable tracking, updating, asset prioritizing, and custom
			reporting of the asset inventory.
			Automated processes are in place to detect and block unauthorized
			changes to software and hardware.
			The change management system uses thresholds to determine when a
			risk assessment of the impact of the change is required.

		Innovative	A formal change management function governs decentralized or highly
			distributed change requests and identifies and measures security risks
			that may cause increased exposure to cyber attack.
			Comprehensive automated enterprise tools are implemented to detect
			and block unauthorized changes to software and hardware.

			Assessment Factor: Risk Management

MANAGEMENT	PROGRAM	Baseline	An information security and business continuity risk management
		Baseline
			function(s) exists within the institution. (FFIEC Information Security
			Booklet, page 68)

		Evolving	The risk management program incorporates cyber risk identification,
			measurement, mitigation, monitoring, and reporting.
RISK			Management reviews and uses the results of audits to improve existing
RISK			cybersecurity policies, procedures, and controls.
			cybersecurity policies, procedures, and controls.
			Management monitors moderate and high residual risk issues from the
			cybersecurity risk assessment until items are addressed.

June 2015

FFIEC Cybersecurity Assessment Tool			Cybersecurity Maturity: Domain 1


	Intermediate	The cybersecurity function has a clear reporting line that does not
		present a conflict of interest.
		The risk management program specifically addresses cyber risks beyond
		the boundaries of the technological impacts (e.g., financial, strategic,
		regulatory, compliance).
		Benchmarks or target performance metrics have been established for
		showing improvements or regressions of the security posture over time.
		Management uses the results of independent audits and reviews to
		improve cybersecurity.
		There is a process to analyze and assign potential losses and related
		expenses, by cost center, associated with cybersecurity incidents.

	Advanced	Cybersecurity metrics are used to facilitate strategic decision-making and
		funding in areas of need.
		Independent risk management sets and monitors cyber-related risk limits
		for business units.
		Independent risk management staff escalates to management and the
		board or an appropriate board committee significant discrepancies from
		business unit’s assessments of cyber-related risk.
		A process is in place to analyze the financial impact cyber incidents have
		on the institution’s capital.
		The cyber risk data aggregation and real-time reporting capabilities
		support the institution’s ongoing reporting needs, particularly during
		cyber incidents.

	Innovative	The risk management function identifies and analyzes commonalities in
		cyber events that occur both at the institution and across other sectors to
		enable more predictive risk management.
		A process is in place to analyze the financial impact that a cyber incident
		at the institution may have across the financial sector.

June 2015

FFIEC Cybersecurity Assessment Tool	Cybersecurity Maturity: Domain 1

RISK ASSESSMENT

Baseline		A risk assessment focused on safeguarding customer information
		identifies reasonable and foreseeable internal and external threats, the
		likelihood and potential damage of threats, and the sufficiency of policies,
		procedures, and customer information systems. (FFIEC Information
		Security Booklet, page 8)
		The risk assessment identifies internet-based systems and high-risk
		transactions that warrant additional authentication controls. (FFIEC
		Information Security Booklet, page 12)
		The risk assessment is updated to address new technologies, products,
		services, and connections before deployment. (FFIEC Information
		Security Booklet, page 13)

Evolving		Risk assessments are used to identify the cybersecurity risks stemming
		from new products, services, or relationships.
		The focus of the risk assessment has expanded beyond customer
		information to address all information assets.
		The risk assessment considers the risk of using EOL software and
		hardware components.

Intermediate		The risk assessment is adjusted to consider widely known risks or risk
		management practices.

Advanced		An enterprise-wide risk management function incorporates cyber threat
		analysis and specific risk exposure as part of the enterprise risk
		assessment.

Innovative		The risk assessment is updated in real time as changes to the risk profile
		occur, new applicable standards are released or updated, and new
		exposures are anticipated.
		The institution uses information from risk assessments to predict threats
		and drive real-time responses.
		Advanced or automated analytics offer predictive information and real-
		time risk metrics.

June 2015

FFIEC Cybersecurity Assessment Tool	Cybersecurity Maturity: Domain 1

AUDIT

Baseline		Independent audit or review evaluates policies, procedures, and controls
		across the institution for significant risks and control issues associated
		with the institution's operations, including risks in new products, emerging
		technologies, and information systems. (FFIEC Audit Booklet, page 4)
		The independent audit function validates controls related to the storage or
		transmission of confidential data. (FFIEC Audit Booklet, page 1)
		Logging practices are independently reviewed periodically to ensure
		appropriate log management (e.g., access controls, retention, and
		maintenance). (FFIEC Operations Booklet, page 29)
		Issues and corrective actions from internal audits and independent
		testing/assessments are formally tracked to ensure procedures and
		control lapses are resolved in a timely manner. (FFIEC Information
		Security Booklet, page 6)

Evolving		The independent audit function validates that the risk management
		function is commensurate with the institution’s risk and complexity.
		The independent audit function validates that the institution’s threat
		information sharing is commensurate with the institution’s risk and
		complexity.
		The independent audit function validates that the institution’s
		cybersecurity controls function is commensurate with the institution’s risk
		and complexity.
		The independent audit function validates that the institution’s third-party
		relationship management is commensurate with the institution’s risk and
		complexity.
		The independent audit function validates that the institution’s incident
		response program and resilience are commensurate with the institution’s
		risk and complexity.

Intermediate		A formal process is in place for the independent audit function to update
		its procedures based on changes to the institution’s inherent risk profile.
		The independent audit function validates that the institution’s threat
		intelligence and collaboration are commensurate with the institution’s risk
		and complexity.
		The independent audit function regularly reviews management’s cyber
		risk appetite statement.
		Independent audits or reviews are used to identify gaps in existing
		security capabilities and expertise.

June 2015

	FFIEC Cybersecurity Assessment Tool			Cybersecurity Maturity: Domain 1


		Advanced	A formal process is in place for the independent audit function to update
			its procedures based on changes to the evolving threat landscape across
			the sector.
			The independent audit function regularly reviews the institution’s cyber
			risk appetite statement in comparison to assessment results and
			incorporates gaps into the audit strategy.
			Independent audits or reviews are used to identify cybersecurity
			weaknesses, root causes, and the potential impact to business units.

		Innovative	A formal process is in place for the independent audit function to update
			its procedures based on changes to the evolving threat landscape across
			other sectors the institution depends upon.
			The independent audit function uses sophisticated data mining tools to
			perform continuous monitoring of cybersecurity processes or controls.

			Assessment Factor: Resources

STAFFING		Baseline	Information security roles and responsibilities have been identified.
		Baseline
			(FFIEC Information Security Booklet, page 7)
			Processes are in place to identify additional expertise needed to improve
			information security defenses. (FFIEC Information Security Work
			Program, Objective I: 2-8)

		Evolving	A formal process is used to identify cybersecurity tools and expertise that
			may be needed.
			Management with appropriate knowledge and experience leads the
			institution's cybersecurity efforts.
			Staff with cybersecurity responsibilities have the requisite qualifications to
			perform the necessary tasks of the position.
			Employment candidates, contractors, and third parties are subject to
			background verification proportional to the confidentiality of the data
			accessed, business requirements, and acceptable risk.

		Intermediate	The institution has a program for talent recruitment, retention, and
			succession planning for the cybersecurity and resilience staffs.

		Advanced	The institution benchmarks its cybersecurity staffing against peers to
			identify whether its recruitment, retention, and succession planning are
			commensurate.
			Dedicated cybersecurity staff develops, or contributes to developing,
			integrated enterprise-level security and cyber defense strategies.

June 2015

FFIEC Cybersecurity Assessment Tool	Cybersecurity Maturity: Domain 1

TRAINING

	Innovative		The institution actively partners with industry associations and academia
			to inform curricula based on future cybersecurity staffing needs of the
			industry.
			Assessment Factor: Training and Culture
			Assessment Factor: Training and Culture
	Baseline		Annual information security training is provided. (FFIEC Information
	Baseline
			Security Booklet, page 66)
			Annual information security training includes incident response, current
			cyber threats (e.g., phishing, spear phishing, social engineering, and
			mobile security), and emerging issues. (FFIEC Information Security
			Booklet, page 66)
			Situational awareness materials are made available to employees when
			prompted by highly visible cyber events or by regulatory alerts. (FFIEC
			Information Security Booklet, page 7)
			Customer awareness materials are readily available (e.g., DHS’
			Cybersecurity Awareness Month materials). (FFIEC E-Banking Work
			Program, Objective 6-3)

	Evolving		The institution has a program for continuing cybersecurity training and
			skill development for cybersecurity staff.
			Management is provided cybersecurity training relevant to their job
			responsibilities.
			Employees with privileged account permissions receive additional
			cybersecurity training commensurate with their levels of responsibility.
			Business units are provided cybersecurity training relevant to their
			particular business risks.
			The institution validates the effectiveness of training (e.g., social
			engineering or phishing tests).

	Intermediate		Management incorporates lessons learned from social engineering and
			phishing exercises to improve the employee awareness programs.
			Cybersecurity awareness information is provided to retail customers and
			commercial clients at least annually.
			Business units are provided cybersecurity training relevant to their
			particular business risks, over and above what is required of the
			institution as a whole.
			The institution routinely updates its training to security staff to adapt to
			new threats.

June 2015

FFIEC Cybersecurity Assessment Tool	Cybersecurity Maturity: Domain 1

CULTURE

Advanced		Independent directors are provided with cybersecurity training that
		addresses how complex products, services, and lines of business affect
		the institution's cyber risk.

Innovative		Key performance indicators are used to determine whether training and
		awareness programs positively influence behavior.
Baseline		Management holds employees accountable for complying with the
		information security program. (FFIEC Information Security Booklet, page
		7)

Evolving		The institution has formal standards of conduct that hold all employees
		accountable for complying with cybersecurity policies and procedures.
		Cyber risks are actively discussed at business unit meetings.
		Employees have a clear understanding of how to identify and escalate
		potential cybersecurity issues.

Intermediate		Management ensures performance plans are tied to compliance with
		cybersecurity policies and standards in order to hold employees
		accountable.
		The risk culture requires formal consideration of cyber risks in all
		business decisions.
		Cyber risk reporting is presented and discussed at the independent risk
		management meetings.

Advanced		Management ensures continuous improvement of cyber risk cultural
		awareness.

Innovative		The institution leads efforts to promote cybersecurity culture across the
		sector and to other sectors that they depend upon.

June 2015

FFIEC Cybersecurity Assessment Tool	Cybersecurity Maturity: Domain 2

THREAT INTELLIGENCE AND INFORMATION

Domain 2: Threat Intelligence and Collaboration
		Assessment Factor: Threat Intelligence
	Y,N
	Y,N

Baseline		The institution belongs or subscribes to a threat and vulnerability
		information sharing source(s) that provides information on threats (e.g.,
		Financial Services Information Sharing and Analysis Center [FS-ISAC],
		U.S. Computer Emergency Readiness Team [US-CERT]). (FFIEC E-
		Banking Work Program, page 28)
		Threat information is used to monitor threats and vulnerabilities. (FFIEC
		Information Security Booklet, page 83)
		Threat information is used to enhance internal risk management and
		controls. (FFIEC Information Security Booklet, page 4)

Evolving		Threat information received by the institution includes analysis of tactics,
		patterns, and risk mitigation recommendations.

Intermediate		A formal threat intelligence program is implemented and includes
		subscription to threat feeds from external providers and internal sources.
		Protocols are implemented for collecting information from industry peers
		and government.
		A read-only, central repository of cyber threat intelligence is maintained.

Advanced		A cyber intelligence model is used for gathering threat information.
		Threat intelligence is automatically received from multiple sources in real
		time.
		The institution’s threat intelligence includes information related to
		geopolitical events that could increase cybersecurity threat levels.

Innovative		A threat analysis system automatically correlates threat data to specific
		risks and then takes risk-based automated actions while alerting
		management.
		The institution is investing in the development of new threat intelligence
		and collaboration mechanisms (e.g., technologies, business processes)
		that will transform how information is gathered and shared.

June 2015

FFIEC Cybersecurity Assessment Tool	Cybersecurity Maturity: Domain 2

MONITORING AND ANALYZING

	Assessment Factor: Monitoring and Analyzing
Baseline		Audit log records and other security event logs are reviewed and retained
Baseline
		in a secure manner. (FFIEC Information Security Booklet, page 79)
		Computer event logs are used for investigations once an event has
		occurred. (FFIEC Information Security Booklet, page 83)

Evolving		A process is implemented to monitor threat information to discover
		emerging threats.
		The threat information and analysis process is assigned to a specific group
		or individual.
		Security processes and technology are centralized and coordinated in a
		Security Operations Center (SOC) or equivalent.
		Monitoring systems operate continuously with adequate support for
		efficient incident handling.

Intermediate		A threat intelligence team is in place that evaluates threat intelligence from
		multiple sources for credibility, relevance, and exposure.
		A profile is created for each threat that identifies the likely intent, capability,
		and target of the threat.
		Threat information sources that address all components of the threat
		profile are prioritized and monitored.
		Threat intelligence is analyzed to develop cyber threat summaries
		including risks to the institution and specific actions for the institution to
		consider.

Advanced		A dedicated cyber threat identification and analysis committee or team
		exists to centralize and coordinate initiatives and communications.
		Formal processes have been defined to resolve potential conflicts in
		information received from sharing and analysis centers or other sources.
		Emerging internal and external threat intelligence and correlated log
		analysis are used to predict future attacks.
		Threat intelligence is viewed within the context of the institution's risk
		profile and risk appetite to prioritize mitigating actions in anticipation of
		threats.
		Threat intelligence is used to update architecture and configuration
		standards.

June 2015

FFIEC Cybersecurity Assessment Tool	Cybersecurity Maturity: Domain 2

Innovative

The institution uses multiple sources of intelligence, correlated log analysis, alerts, internal traffic flows, and geopolitical events to predict potential future attacks and attack trends.

Highest risk scenarios are used to predict threats against specific business targets.

IT systems automatically detect configuration weaknesses based on threat intelligence and alert management so actions can be prioritized.

INFORMATION SHARING

		Assessment Factor: Information Sharing

Baseline		Information security threats are gathered and shared with applicable
		internal employees. (FFIEC Information Security Booklet, page 83)
		Contact information for law enforcement and the regulator(s) is maintained
		and updated regularly. (FFIEC Business Continuity Planning Work
		Program, Objective I: 5-1)
		Information about threats is shared with law enforcement and regulators
		when required or prompted. (FFIEC Information Security Booklet, page 84)

Evolving		A formal and secure process is in place to share threat and vulnerability
		information with other entities.
		A representative from the institution participates in law enforcement or
		information-sharing organization meetings.

Intermediate		A formal protocol is in place for sharing threat, vulnerability, and incident
		information to employees based on their specific job function.
		Information-sharing agreements are used as needed or required to
		facilitate sharing threat information with other financial sector organizations
		or third parties.
		Information is shared proactively with the industry, law enforcement,
		regulators, and information-sharing forums.
		A process is in place to communicate and collaborate with the public
		sector regarding cyber threats.

Advanced		Management communicates threat intelligence with business risk context
		and specific risk management recommendations to the business units.
		Relationships exist with employees of peer institutions for sharing cyber
		threat intelligence.
		A network of trust relationships (formal and/or informal) has been
		established to evaluate information about cyber threats.

June 2015

FFIEC Cybersecurity Assessment Tool	Cybersecurity Maturity: Domain 2

Innovative

A mechanism is in place for sharing cyber threat intelligence with business units in real time including the potential financial and operational impact of inaction.

A system automatically informs management of the level of business risk specific to the institution and the progress of recommended steps taken to mitigate the risks.

The institution is leading efforts to create new sector-wide information- sharing channels to address gaps in external-facing information-sharing mechanisms.

June 2015

FFIEC Cybersecurity Assessment Tool	Cybersecurity Maturity: Domain 3

INFRASTRUCTURE MANAGEMENT

	Domain 3: Cybersecurity Controls
		Assessment Factor: Preventative Controls
	Y, N
	Y, N
Baseline		Network perimeter defense tools (e.g., border router and firewall) are
		used. (FFIEC Information Security Booklet, page 33)
		Systems that are accessed from the Internet or by external parties are
		protected by firewalls or other similar devices. (FFIEC Information
		Security Booklet, page 46)
		All ports are monitored. (FFIEC Information Security Booklet, page 50)
		Up to date antivirus and anti-malware tools are used. (FFIEC Information
		Security Booklet, page 78)
		Systems configurations (for servers, desktops, routers, etc.) follow
		industry standards and are enforced. (FFIEC Information Security
		Booklet, page 56)
		Ports, functions, protocols and services are prohibited if no longer needed
		for business purposes. (FFIEC Information Security Booklet, page 50)
		Access to make changes to systems configurations (including virtual
		machines and hypervisors) is controlled and monitored. (FFIEC
		Information Security Booklet, page 56)
		Programs that can override system, object, network, virtual machine, and
		application controls are restricted. (FFIEC Information Security Booklet,
		page 41)
		System sessions are locked after a pre-defined period of inactivity and
		are terminated after pre-defined conditions are met. (FFIEC Information
		Security Booklet, page 23)
		Wireless network environments require security settings with strong
		encryption for authentication and transmission. (*N/A if there are no
		wireless networks.) (FFIEC Information Security Booklet, page 40)

Evolving		There is a firewall at each Internet connection and between any
		Demilitarized Zone (DMZ) and internal network(s).
		Antivirus and intrusion detection/prevention systems (IDS/IPS) detect and
		block actual and attempted attacks or intrusions.
		Technical controls prevent unauthorized devices, including rogue wireless
		access devices and removable media, from connecting to the internal
		network(s).
		A risk-based solution is in place at the institution or Internet hosting

June 2015

FFIEC Cybersecurity Assessment Tool			Cybersecurity Maturity: Domain 3


		provider to mitigate disruptive cyber attacks (e.g., DDoS attacks).
		Guest wireless networks are fully segregated from the internal network(s).
		(*N/A if there are no wireless networks.)
		Domain Name System Security Extensions (DNSSEC) is deployed
		across the enterprise.
		Critical systems supported by legacy technologies are regularly reviewed
		to identify for potential vulnerabilities, upgrade opportunities, or new
		defense layers.
		Controls for unsupported systems are implemented and tested.

	Intermediate	The enterprise network is segmented in multiple, separate trust/security
		zones with defense-in-depth strategies (e.g., logical network
		segmentation, hard backups, air-gapping) to mitigate attacks.
		Security controls are used for remote access to all administrative
		consoles, including restricted virtual systems.
		Wireless network environments have perimeter firewalls that are
		implemented and configured to restrict unauthorized traffic. (*N/A if there
		are no wireless networks.)
		Wireless networks use strong encryption with encryption keys that are
		changed frequently. (*N/A if there are no wireless networks.)
		The broadcast range of the wireless network(s) is confined to institution-
		controlled boundaries. (*N/A if there are no wireless networks.)
		Technical measures are in place to prevent the execution of unauthorized
		code on institution owned or managed devices, network infrastructure,
		and systems components.

	Advanced	Network environments and virtual instances are designed and configured
		to restrict and monitor traffic between trusted and untrusted zones.
		Only one primary function is permitted per server to prevent functions that
		require different security levels from co-existing on the same server.
		Anti-spoofing measures are in place to detect and block forged source IP
		addresses from entering the network.

	Innovative	The institution risk scores all of its infrastructure assets and updates in
		real time based on threats, vulnerabilities, or operational changes.
		Automated controls are put in place based on risk scores to infrastructure
		assets, including automatically disconnecting affected assets.
		The institution proactively seeks to identify control gaps that may be used
		as part of a zero-day attack.

June 2015

FFIEC Cybersecurity Assessment Tool	Cybersecurity Maturity: Domain 3

ACCESS AND DATA MANAGEMENT

Baseline

Public-facing servers are routinely rotated and restored to a known clean state to limit the window of time a system is exposed to potential threats.

Employee access is granted to systems and confidential data based on job responsibilities and the principles of least privilege. (FFIEC Information Security Booklet, page 19)

Employee access to systems and confidential data provides for separation of duties. (FFIEC Information Security Booklet, page 19)

Elevated privileges (e.g., administrator privileges) are limited and tightly controlled (e.g., assigned to individuals, not shared, and require stronger password controls). (FFIEC Information Security Booklet, page 19)

User access reviews are performed periodically for all systems and applications based on the risk to the application or system. (FFIEC Information Security Booklet, page 18)

Changes to physical and logical user access, including those that result from voluntary and involuntary terminations, are submitted to and approved by appropriate personnel. (FFIEC Information Security Booklet, page 18)

Identification and authentication are required and managed for access to systems, applications, and hardware. (FFIEC Information Security Booklet, page 21)

Access controls include password complexity and limits to password attempts and reuse. (FFIEC Information Security Booklet, page 66)

All default passwords and unnecessary default accounts are changed before system implementation. (FFIEC Information Security Booklet, page 61)

Customer access to Internet-based products or services requires authentication controls (e.g., layered controls, multifactor) that are commensurate with the risk. (FFIEC Information Security Booklet, page 21)

Production and non-production environments are segregated to prevent

unauthorized access or changes to information assets. (*N/A if no production environment exists at the institution or the institution’s third

party.) (FFIEC Information Security Booklet, page 64)

Physical security controls are used to prevent unauthorized access to information systems and telecommunication systems. (FFIEC Information Security Booklet, page 47)

All passwords are encrypted in storage and in transit. (FFIEC Information Security Booklet, page 21)

June 2015

FFIEC Cybersecurity Assessment Tool	Cybersecurity Maturity: Domain 3

			Confidential data are encrypted when transmitted across public or
			untrusted networks (e.g., Internet). (FFIEC Information Security Booklet,
			page 51)
			Mobile devices (e.g., laptops, tablets, and removable media) are
			encrypted if used to store confidential data. (*N/A if mobile devices are
			not used.) (FFIEC Information Security Booklet, page 51)
			Remote access to critical systems by employees, contractors, and third
			parties uses encrypted connections and multifactor authentication.
			(FFIEC Information Security Booklet, page 45)
			Administrative, physical, or technical controls are in place to prevent
			users without administrative responsibilities from installing unauthorized
			software. (FFIEC Information Security Booklet, page 25)
			Customer service (e.g., the call center) utilizes formal procedures to
			authenticate customers commensurate with the risk of the transaction or
			request. (FFIEC Information Security Booklet, page 19)
			Data is disposed of or destroyed according to documented requirements
			and within expected time frames. (FFIEC Information Security Booklet,
			page 66)

	Evolving		Changes to user access permissions trigger automated notices to
			appropriate personnel.
			Administrators have two accounts: one for administrative use and one for
			general purpose, non-administrative tasks.
			Use of customer data in non-production environments complies with
			legal, regulatory, and internal policy requirements for concealing or
			removing of sensitive data elements.
			Physical access to high-risk or confidential systems is restricted, logged,
			and unauthorized access is blocked.
			Controls are in place to prevent unauthorized access to cryptographic
			keys.

June 2015

FFIEC Cybersecurity Assessment Tool			Cybersecurity Maturity: Domain 3


	Intermediate	The institution has implemented tools to prevent unauthorized access to
		or exfiltration of confidential data.
		Controls are in place to prevent unauthorized escalation of user
		privileges.
		Access controls are in place for database administrators to prevent
		unauthorized downloading or transmission of confidential data.
		All physical and logical access is removed immediately upon notification
		of involuntary termination and within 24 hours of an employee’s voluntary
		departure.
		Multifactor authentication and/or layered controls have been implemented
		to secure all third-party access to the institution's network and/or systems
		and applications.
		Multifactor authentication (e.g., tokens, digital certificates) techniques are
		used for employee access to high-risk systems as identified in the risk
		assessment(s). (*N/A if no high risk systems.)
		Confidential data are encrypted in transit across private connections (e.g.,
		frame relay and T1) and within the institution’s trusted zones.
		Controls are in place to prevent unauthorized access to collaborative
		computing devices and applications (e.g., networked white boards,
		cameras, microphones, online applications such as instant messaging
		and document sharing). (* N/A if collaborative computing devices are not
		used.)

	Advanced	Encryption of select data at rest is determined by the institution’s data
		classification and risk assessment.
		Customer authentication for high-risk transactions includes methods to
		prevent malware and man-in-the-middle attacks (e.g., using visual
		transaction signing).

June 2015

FFIEC Cybersecurity Assessment Tool	Cybersecurity Maturity: Domain 3

DEVICE/END-POINT SECURITY

Innovative		Adaptive access controls de-provision or isolate an employee, third-party,
		or customer credentials to minimize potential damage if malicious
		behavior is suspected.
		Unstructured confidential data are tracked and secured through an
		identity-aware, cross-platform storage system that protects against
		internal threats, monitors user access, and tracks changes.
		Tokenization is used to substitute unique values for confidential
		information (e.g., virtual credit card).
		The institution is leading efforts to create new technologies and
		processes for managing customer, employee, and third-party
		authentication and access.
		Real-time risk mitigation is taken based on automated risk scoring of user
		credentials.
Baseline		Controls are in place to restrict the use of removable media to authorized
		personnel. (FFIEC Information Security Work Program, Objective I: 4-1)

Evolving		Tools automatically block attempted access from unpatched employee
		and third-party devices.
		Tools automatically block attempted access by unregistered devices to
		internal networks.
		The institution has controls to prevent the unauthorized addition of new
		connections.
		Controls are in place to prevent unauthorized individuals from copying
		confidential data to removable media.
		Antivirus and anti-malware tools are deployed on end-point devices (e.g.,
		workstations, laptops, and mobile devices).
		Mobile devices with access to the institution’s data are centrally managed
		for antivirus and patch deployment. (*N/A if mobile devices are not used.)
		The institution wipes data remotely on mobile devices when a device is
		missing or stolen. (*N/A if mobile devices are not used.)

Intermediate		Data loss prevention controls or devices are implemented for inbound and
		outbound communications (e.g., e-mail, FTP, Telnet, prevention of large
		file transfers).
		Mobile device management includes integrity scanning (e.g.,
		jailbreak/rooted detection). (*N/A if mobile devices are not used.)
		Mobile devices connecting to the corporate network for storing and
		accessing company information allow for remote software version/patch
		validation. (*N/A if mobile devices are not used.)

June 2015

	FFIEC Cybersecurity Assessment Tool			Cybersecurity Maturity: Domain 3


		Advanced	Employees’ and third parties’ devices (including mobile) without the latest
			security patches are quarantined and patched before the device is
			granted access to the network.
			Confidential data and applications on mobile devices are only accessible
			via a secure, isolated sandbox or a secure container.

		Innovative	A centralized end-point management tool provides fully integrated patch,
			configuration, and vulnerability management, while also being able to
			detect malware upon arrival to prevent an exploit.

CODING		Baseline	Developers working for the institution follow secure program coding
		Baseline
			practices, as part of a system development life cycle (SDLC), that meet
SECURE			industry standards. (FFIEC Information Security Booklet, page 56)
SECURE			The security controls of internally developed software are periodically

			reviewed and tested. (*N/A if there is no software development.) (FFIEC
			Information Security Booklet, page 59)
			The security controls in internally developed software code are
			independently reviewed before migrating the code to production. (*N/A if
			there is no software development.) (FFIEC Development and Acquisition
			Booklet, page 2)
			Intellectual property and production code are held in escrow. (*N/A if
			there is no production code to hold in escrow.) (FFIEC Development and
			Acquisition Booklet, page 39)

		Evolving	Security testing occurs at all post-design phases of the SDLC for all
			applications, including mobile applications. (*N/A if there is no software
			development.)

		Intermediate	Processes are in place to mitigate vulnerabilities identified as part of the
			secure development of systems and applications.
			The security of applications, including Web-based applications connected
			to the Internet, is tested against known types of cyber attacks (e.g., SQL
			injection, cross-site scripting, buffer overflow) before implementation or
			following significant changes.
			Software code executables and scripts are digitally signed to confirm the
			software author and guarantee that the code has not been altered or
			corrupted.
			A risk-based, independent information assurance function evaluates the
			security of internal applications.

		Advanced	Vulnerabilities identified through a static code analysis are remediated
			before implementing newly developed or changed applications into
			production.
			All interdependencies between applications and services have been

June 2015

FFIEC Cybersecurity Assessment Tool	Cybersecurity Maturity: Domain 3

THREAT AND VULNERABILITY DETECTION

			identified.
			Independent code reviews are completed on internally developed or
			vendor-provided custom applications to ensure there are no security
			gaps.

	Innovative		Software code is actively scanned by automated tools in the development
			environment so that security weaknesses can be resolved immediately
			during the design phase.
			Assessment Factor: Detective Controls
			Assessment Factor: Detective Controls
	Baseline		Independent testing (including penetration testing and vulnerability
	Baseline
			scanning) is conducted according to the risk assessment for external-
			facing systems and the internal network. (FFIEC Information Security
			Booklet, page 61)
			Antivirus and anti-malware tools are used to detect attacks. (FFIEC
			Information Security Booklet, page 55)
			Firewall rules are audited or verified at least quarterly. (FFIEC Information
			Security Booklet, page 82)
			E-mail protection mechanisms are used to filter for common cyber threats
			(e.g., attached malware or malicious links). (FFIEC Information Security
			Booklet, page 39)

	Evolving		Independent penetration testing of network boundary and critical Web-
			facing applications is performed routinely to identify security control gaps.
			Independent penetration testing is performed on Internet-facing
			applications or systems before they are launched or undergo significant
			change.
			Antivirus and anti-malware tools are updated automatically.
			Firewall rules are updated routinely.
			Vulnerability scanning is conducted and analyzed before
			deployment/redeployment of new/existing devices.
			Processes are in place to monitor potential insider activity that could lead
			to data theft or destruction.

	Intermediate		Audit or risk management resources review the penetration testing scope
			and results to help determine the need for rotating companies based on
			the quality of the work.
			E-mails and attachments are automatically scanned to detect malware
			and are blocked when malware is present.

June 2015

	FFIEC Cybersecurity Assessment Tool			Cybersecurity Maturity: Domain 3


		Advanced	Weekly vulnerability scanning is rotated among environments to scan all
			environments throughout the year.
			Penetration tests include cyber attack simulations and/or real-world
			tactics and techniques such as red team testing to detect control gaps in
			employee behavior, security defenses, policies, and resources.
			Automated tool(s) proactively identifies high-risk behavior signaling an
			employee who may pose an insider threat.

		Innovative	User tasks and content (e.g., opening an e-mail attachment) are
			automatically isolated in a secure container or virtual environment so that
			malware can be analyzed but cannot access vital data, end-point
			operating systems, or applications on the institution’s network.
			Vulnerability scanning is performed on a weekly basis across all
			environments.

DETECTION			and reviewed. (FFIEC Wholesale Payments Booklet, page 12)
		Baseline	The institution is able to detect anomalous activities through monitoring
			across the environment. (FFIEC Information Security Booklet, page 32)
ACTIVITY			Customer transactions generating anomalous activity alerts are monitored
ACTIVITY			Logs of physical and/or logical access are reviewed following events.

ANOMALOUS			(FFIEC Information Security Booklet, page 73)
ANOMALOUS			Access to critical systems by third parties is monitored for unauthorized or

			unusual activity. (FFIEC Outsourcing Booklet, page 26)
			Elevated privileges are monitored. (FFIEC Information Security Booklet,
			page 19)

		Evolving	Systems are in place to detect anomalous behavior automatically during
			customer, employee, and third-party authentication.
			Security logs are reviewed regularly.
			Logs provide traceability for all system access by individual users.
			Thresholds have been established to determine activity within logs that
			would warrant management response.

June 2015

FFIEC Cybersecurity Assessment Tool		Cybersecurity Maturity: Domain 3


Intermediate	Online customer transactions are actively monitored for anomalous
	behavior.
	Tools to detect unauthorized data mining are used.
	Tools actively monitor security logs for anomalous behavior and alert
	within established parameters.
	Audit logs are backed up to a centralized log server or media that is
	difficult to alter.

		Thresholds for security logging are evaluated periodically.
		Anomalous activity and other network and system alerts are correlated
		across business units to detect and prevent multifaceted attacks (e.g.,
		simultaneous account takeover and DDoS attack).

	Advanced	An automated tool triggers system and/or fraud alerts when customer
		logins occur within a short period of time but from physically distant IP
		locations.
		External transfers from customer accounts generate alerts and require
		review and authorization if anomalous behavior is detected.
		A system is in place to monitor and analyze employee behavior (network
		use patterns, work hours, and known devices) to alert on anomalous
		activities.
		An automated tool(s) is in place to detect and prevent data mining by
		insider threats.
		Tags on fictitious confidential data or files are used to provide advanced
		alerts of potential malicious activity when the data is accessed.

	Innovative	The institution has a mechanism for real-time automated risk scoring of
		threats.
		The institution is developing new technologies that will detect potential
		insider threats and block activity in real time.

June 2015

FFIEC Cybersecurity Assessment Tool	Cybersecurity Maturity: Domain 3

EVENT DETECTION

Baseline		A normal network activity baseline is established. (FFIEC Information
		Security Booklet, page 77)
		Mechanisms (e.g., antivirus alerts, log event alerts) are in place to alert
		management to potential attacks. (FFIEC Information Security Booklet,
		page 78)
		Processes are in place to monitor for the presence of unauthorized users,
		devices, connections, and software. (FFIEC Information Security Work
		Program, Objective II: M-9)
		Responsibilities for monitoring and reporting suspicious systems activity
		have been assigned. (FFIEC Information Security Booklet, page 83)
		The physical environment is monitored to detect potential unauthorized
		access. (FFIEC Information Security Booklet, page 47)

Evolving		A process is in place to correlate event information from multiple sources
		(e.g., network, application, or firewall).

Intermediate		Controls or tools (e.g., data loss prevention) are in place to detect
		potential unauthorized or unintentional transmissions of confidential data.
		Event detection processes are proven reliable.
		Specialized security monitoring is used for critical assets throughout the
		infrastructure.

Advanced		Automated tools detect unauthorized changes to critical system files,
		firewalls, IPS, IDS, or other security devices.
		Real-time network monitoring and detection is implemented and
		incorporates sector-wide event information.
		Real-time alerts are automatically sent when unauthorized software,
		hardware, or changes occur.
		Tools are in place to actively correlate event information from multiple
		sources and send alerts based on established parameters.

Innovative		The institution is leading efforts to develop event detection systems that
		will correlate in real time when events are about to occur.
		The institution is leading the development effort to design new
		technologies that will detect potential insider threats and block activity in
		real time.

June 2015

FFIEC Cybersecurity Assessment Tool	Cybersecurity Maturity: Domain 3

PATCH MANAGEMENT

		Assessment Factor: Corrective Controls
Baseline		A patch management program is implemented and ensures that software
Baseline
		and firmware patches are applied in a timely manner. (FFIEC Information
		Security Booklet, page 62)
		Patches are tested before being applied to systems and/or software.
		(FFIEC Operations Booklet, page 22)
		Patch management reports are reviewed and reflect missing security
		patches. (FFIEC Development and Acquisition Booklet, page 50)

Evolving		A formal process is in place to acquire, test, and deploy software patches
		based on criticality.
		Systems are configured to retrieve patches automatically.
		Operational impact is evaluated before deploying security patches.
		An automated tool(s) is used to identify missing security patches as well
		as the number of days since each patch became available.
		Missing patches across all environments are prioritized and tracked.

Intermediate		Patches for high-risk vulnerabilities are tested and applied when released
		or the risk is accepted and accountability assigned.

Advanced		Patch monitoring software is installed on all servers to identify any
		missing patches for the operating system software, middleware,
		database, and other key software.
		The institution monitors patch management reports to ensure security
		patches are tested and implemented within aggressive time frames (e.g.,
		0-30 days).

Innovative		The institution develops security patches or bug fixes or contributes to
		open source code development for systems it uses.
		Segregated or separate systems are in place that mirror production
		systems allowing for rapid testing and implementation of patches and
		provide for rapid fallback when needed.

June 2015

FFIEC Cybersecurity Assessment Tool	Cybersecurity Maturity: Domain 3

REMEDIATION

Baseline		Issues identified in assessments are prioritized and resolved based on
		criticality and within the time frames established in the response to the
		assessment report. (FFIEC Information Security Booklet, page 87)

Evolving		Data is destroyed or wiped on hardware and portable/mobile media when
		a device is missing, stolen, or no longer needed.
		Formal processes are in place to resolve weaknesses identified during
		penetration testing.

Intermediate		Remediation efforts are confirmed by conducting a follow-up vulnerability
		scan.
		Penetration testing is repeated to confirm that medium- and high-risk,
		exploitable vulnerabilities have been resolved.
		Security investigations, forensic analysis, and remediation are performed
		by qualified staff or third parties.
		Generally accepted and appropriate forensic procedures, including chain
		of custody, are used to gather and present evidence to support potential
		legal action.
		The maintenance and repair of organizational assets are performed by
		authorized individuals with approved and controlled tools.
		The maintenance and repair of organizational assets are logged in a
		timely manner.

Advanced		All medium and high risk issues identified in penetration testing,
		vulnerability scanning, and other independent testing are escalated to the
		board or an appropriate board committee for risk acceptance if not
		resolved in a timely manner.

Innovative		The institution is developing technologies that will remediate systems
		damaged by zero-day attacks to maintain current recovery time
		objectives.

June 2015

FFIEC Cybersecurity Assessment Tool	Cybersecurity Maturity: Domain 4

CONNECTIONS

	Domain 4: External Dependency Management
			Assessment Factor: Connections
		Y, N
		Y, N
Baseline			The critical business processes that are dependent on external
			connectivity have been identified. (FFIEC Information Security Booklet,
			page 9)
			The institution ensures that third-party connections are authorized.
			(FFIEC Information Security Booklet, page 17)
			A network diagram is in place and identifies all external connections.
			(FFIEC Information Security Booklet, page 9)
			Data flow diagrams are in place and document information flow to
			external parties. (FFIEC Information Security Booklet, page 10)

Evolving			Critical business processes have been mapped to the supporting
			external connections.
			The network diagram is updated when connections with third parties
			change or at least annually.
			Network and systems diagrams are stored in a secure manner with
			proper restrictions on access.
			Controls for primary and backup third-party connections are monitored
			and tested on a regular basis.

Intermediate			A validated asset inventory is used to create comprehensive diagrams
			depicting data repositories, data flow, infrastructure, and connectivity.
			Security controls are designed and verified to detect and prevent
			intrusions from third-party connections.
			Monitoring controls cover all external connections (e.g., third-party
			service providers, business partners, customers).
			Monitoring controls cover all internal network-to-network connections.

Advanced			The security architecture is validated and documented before network
			connection infrastructure changes.
			The institution works closely with third-party service providers to
			maintain and improve the security of external connections.

June 2015

FFIEC Cybersecurity Assessment Tool	Cybersecurity Maturity: Domain 4

Innovative

Diagram(s) of external connections is interactive, shows real-time changes to the network connection infrastructure, new connections, and volume fluctuations, and alerts when risks arise.

The institution's connections can be segmented or severed instantaneously to prevent contagion from cyber attacks.

DUE DILIGENCE

	Assessment Factor: Relationship Management
Baseline		Risk-based due diligence is performed on prospective third parties
Baseline
		before contracts are signed, including reviews of their background,
		reputation, financial condition, stability, and security controls. (FFIEC
		Information Security Booklet, page 69)
		A list of third-party service providers is maintained. (FFIEC Outsourcing
		Booklet, page 19)
		A risk assessment is conducted to identify criticality of service
		providers. (FFIEC Outsourcing Booklet, page 6)

Evolving		A formal process exists to analyze assessments of third-party
		cybersecurity controls.
		The board or an appropriate board committee reviews a summary of
		due diligence results including management’s recommendations to use
		third parties that will affect the institution’s inherent risk profile.

Intermediate		A process is in place to confirm that the institution’s third-party service
		providers conduct due diligence of their third parties (e.g.,
		subcontractors).
		Pre-contract, physical site visits of high-risk vendors are conducted by
		the institution or by a qualified third party.

Assessment Chief – Fill Out and Use

Ffiec Tool Details

Form Preview Example