Ffiec Tool Details

Assessment chiefs play an important role in their districts by ensuring that all students receive a quality education. According to the National Assessment of Educational Progress (NAEP), assessment chiefs are responsible for designing and implementing assessments, as well as analyzing and using assessment data to improve student learning. In order to become an assessment chief, you need to have experience in assessment design and implementation, as well as data analysis. If you're interested in working in this field, read on to learn more about the requirements and responsibilities of this position.

In the list, there is some good information about the assessment chief. Before you decide to fill out the form, it's worth reading a little more about it.

QuestionAnswer
Form NameAssessment Chief
Form Length123 pages
Fillable?No
Fillable fields0
Avg. time to fill out30 min 45 sec
Other namesffiec assessment tool, cybersecurity assessment tool ffiec, ffiec assessment, cat tool ffiet

Form Preview Example

FFIEC Cybersecurity Assessment Tool

Overview for Chief Executive Officers and Boards of Directors

In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council1 (FFIEC) developed the Cybersecurity Assessment Tool (Assessment), on behalf of its members, to help institutions identify their risks and determine their cybersecurity preparedness. The Assessment provides a repeatable and measurable process for institutions to measure their cybersecurity preparedness over time. The Assessment incorporates cybersecurity-related principles from the FFIEC Information Technology (IT) Examination Handbook and regulatory guidance, and concepts from other industry standards, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework.2

Benefits to the Institution

For institutions using the Assessment, management will be able to enhance their oversight and management of the institution’s cybersecurity by doing the following:

Identifying factors contributing to and determining the institution’s overall cyber risk.

Assessing the institution’s cybersecurity preparedness.

Evaluating whether the institution’s cybersecurity preparedness is aligned with its risks.

Determining risk management practices and controls that are needed or need enhancement and actions to be taken to achieve the desired state.

Informing risk management strategies.

CEO and Board of Directors

The role of the chief executive officer (CEO), with management’s support, may include the responsibility to do the following:

Develop a plan to conduct the Assessment.

Lead employee efforts during the Assessment to facilitate timely responses from across the institution.

Set the target state of cybersecurity preparedness that best aligns to the board of directors’ (board) stated (or approved) risk appetite.

Review, approve, and support plans to address risk management and control weaknesses.

Analyze and present results for executive oversight, including key stakeholders and the board, or an appropriate board committee.

1The FFIEC comprises the principals of the following: The Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, Consumer Financial Protection Bureau, and State Liaison Committee.

2A mapping is available in Appendix B: Mapping Cybersecurity Assessment Tool to the NIST Cybersecurity Framework. NIST reviewed and provided input on the mapping to ensure consistency with Framework principles and to highlight the complementary nature of the two resources.

June 2015

1

FFIEC Cybersecurity Assessment Tool

Overview for CEOs and Boards of Directors

 

 

Oversee the performance of ongoing monitoring to remain nimble and agile in addressing evolving areas of cybersecurity risk.

Oversee changes to maintain or increase the desired cybersecurity preparedness.

The role of the board, or an appropriate board committee, may include the responsibility to do the following:

Engage management in establishing the institution’s vision, risk appetite, and overall strategic direction.

Approve plans to use the Assessment.

Review management’s analysis of the Assessment results, inclusive of any reviews or opinions on the results issued by independent risk management or internal audit functions regarding those results.

Review management’s determination of whether the institution’s cybersecurity preparedness is aligned with its risks.

Review and approve plans to address any risk management or control weaknesses.

Review the results of management’s ongoing monitoring of the institution’s exposure to and preparedness for cyber threats.

Assessment’s Parts and Process

The Assessment consists of two parts: Inherent Risk Profile and Cybersecurity Maturity. Upon completion of both parts, management can evaluate whether the institution’s inherent risk and preparedness are aligned.

Inherent Risk Profile

Cybersecurity inherent risk is the level of risk posed to the institution by the following:

Technologies and Connection Types

Delivery Channels

Online/Mobile Products and Technology Services

Organizational Characteristics

External Threats

Inherent risk incorporates the type, volume, and complexity of the institution’s operations and threats directed at the institution. Inherent risk does not include mitigating controls. The Inherent Risk Profile includes descriptions of activities across risk categories with definitions for the least to most levels of inherent risk. The profile helps management determine exposure to risk that the institution’s activities, services, and products individually and collectively pose to the institution.

Least

Minimal

Moderate

Significant

Most Inherent

Inherent Risk

Inherent Risk

Inherent Risk

Inherent Risk

Risk

When each of the activities, services, and products are assessed, management can review the results and determine the institution’s overall inherent risk profile.

June 2015

2

FFIEC Cybersecurity Assessment ToolOverview for CEOs and Boards of Directors

Cybersecurity Maturity

The Assessment’s second part is Cybersecurity Maturity, designed to help management measure

the institution’s level of risk and corresponding controls. The levels range from baseline to

innovative. Cybersecurity Maturity includes

 

statements to determine whether an institution’s

Innovative

behaviors, practices, and processes can support

 

cybersecurity preparedness within the following

Advanced

five domains:

 

Cyber Risk Management and Oversight

Intermediate

Threat Intelligence and Collaboration

 

Cybersecurity Controls

Evolving

External Dependency Management

 

Cyber Incident Management and Resilience

The domains include assessment factors and

Baseline

contributing components. Within each

 

component, declarative statements describe

 

activities supporting the assessment factor at each

 

maturity level. Management determines which declarative statements best fit the current practices of the institution. All declarative statements in each maturity level, and previous levels, must be attained and sustained to achieve that domain’s maturity level. While management can determine the institution’s maturity level in each domain, the Assessment is not designed to identify an overall cybersecurity maturity level. The figure below provides the five domains and assessment factors.

Domain 1: Cyber

Domain 2: Threat

Risk Management

 

Intelligence &

 

 

& Oversight

 

Collaboration

 

 

Governance

 

 

Threat

 

 

 

 

Intelligence

 

 

 

 

 

 

 

Risk

 

 

Monitoring and

 

 

Management

 

 

Analyzing

Domain 3:

Cybersecurity

Controls

Preventative

Controls

Detective

Controls

 

Domain 4:

 

Domain 5: Cyber

 

External

 

 

Incident Management

Dependency

 

and Resilience

Management

 

 

 

 

 

 

 

 

Incident

 

 

 

 

 

Connections

 

 

Resilience

 

 

 

Planning and

 

 

 

 

 

 

 

 

Strategy

 

Relationship

 

 

Detection,

 

 

 

Response, and

 

Management

 

 

 

 

 

Mitigation

 

 

 

 

Resources

Information

Sharing

Corrective

Controls

Escalation and

Reporting

Training and

Culture

June 2015

3

FFIEC Cybersecurity Assessment Tool

Overview for CEOs and Boards of Directors

 

 

Management can review the institution’s Inherent Risk Profile in relation to its Cybersecurity Maturity results for each domain to understand whether they are aligned. The following table depicts the relationship between an institution’s Inherent Risk Profile and its domain Maturity Levels, as there is no single expected level for an institution. In general, as inherent risk rises, an institution’s maturity levels should increase. An institution’s inherent risk profile and maturity levels will change over time as threats, vulnerabilities, and operational environments change. Thus, management should consider reevaluating the institution’s inherent risk profile and cybersecurity maturity periodically and when planned changes can affect its inherent risk profile (e.g., launching new products or services, new connections).

Risk/Maturity

Inherent Risk Levels

 

Relationship

 

 

 

 

 

 

Least

Minimal

Moderate

Significant

Most

Cybersecurity Maturity Level for

 

Innovative

 

 

 

 

Each Domain

Advanced

 

 

 

 

Intermediate

 

 

 

 

Evolving

 

 

 

 

Baseline

 

 

 

 

 

 

 

 

 

 

Management can then decide what actions are needed either to affect the inherent risk profile or to achieve a desired state of maturity. On an ongoing basis, management may use the Assessment to identify changes to the institution’s inherent risk profile when new threats arise or when considering changes to the business strategy, such as expanding operations, offering new products and services, or entering into new third-party relationships that support critical activities. Consequently, management can determine whether additional risk management practices or controls are needed to maintain or augment the institution’s cybersecurity maturity.

Supporting Implementation

An essential part of implementing the Assessment is to validate the institution’s process and findings and the effectiveness and sufficiency of the plans to address any identified weaknesses. The next section provides some questions to assist management and the board when using the Assessment.

Assess

maturity and inherent risk

Reevaluate

Identify gaps

in alignment

 

Cybersecurity Management &

Oversight

What are the potential cyber threats to the

Implement

Determine

plans to

institution?

attain and

desired

state of

sustain

 

 

Is the institution a direct target of attacks?

maturity

maturity

 

 

 

Is the institution’s cybersecurity

preparedness receiving the appropriate level of time and attention from management and the board or an appropriate board committee?

June 2015

4

FFIEC Cybersecurity Assessment Tool

Overview for CEOs and Boards of Directors

 

 

Do the institution’s policies and procedures demonstrate management’s commitment to sustaining appropriate cybersecurity maturity levels?

What is the ongoing process for gathering, monitoring, analyzing, and reporting risks?

Who is accountable for assessing and managing the risks posed by changes to the business strategy or technology?

Are the accountable individuals empowered with the authority to carry out these responsibilities?

Do the inherent risk profile and cybersecurity maturity levels meet management’s business and risk management expectations? If there is misalignment, what are the proposed plans to bring them into alignment?

How can management and the board, or an appropriate board committee, make this process part of the institution’s enterprise-wide governance framework?

Inherent Risk Profile

What is the process for gathering and validating the information for the inherent risk profile and cybersecurity maturity?

How can management and the board, or an appropriate board committee, support improvements to the institution’s process for conducting the Assessment?

What do the results of the Assessment mean to the institution as it looks at its overall risk profile?

What are the institution’s areas of highest inherent risk?

Is management updating the institution’s inherent risk profile to reflect changes in activities, services, and products?

Cybersecurity Maturity

How effective are the institution’s risk management activities and controls identified in the Assessment?

Are there more efficient or effective means for attaining or improving the institution’s risk management and controls?

What third parties does the institution rely on to support critical activities?

What is the process to oversee third parties and understand their inherent risks and cybersecurity maturity?

How does management validate the type and volume of attacks?

Is the institution sharing threat information with peers, law enforcement, and critical third parties through information-sharing procedures?

Summary

FFIEC has developed the Assessment to assist management and the board, or an appropriate board committee, in assessing their institution’s cybersecurity preparedness and risk. For more information and additional questions to consider, refer to the FFIEC Cybersecurity Assessment General Observations on the FFIEC’s Web site.

June 2015

5

OMB Control 1557-0328

Expiration Date: December 31, 2015

FFIEC

Cybersecurity Assessment Tool

June 2015

FFIEC Cybersecurity Assessment Tool

Contents

Contents

 

Contents

i

User’s Guide

1

Overview

1

Background

2

Completing the Assessment

2

Part One: Inherent Risk Profile

3

Part Two: Cybersecurity Maturity

5

Interpreting and Analyzing Assessment Results

8

Resources

10

Inherent Risk Profile

11

Cybersecurity Maturity

19

Domain 1: Cyber Risk Management and Oversight

19

Domain 2: Threat Intelligence and Collaboration

30

Domain 3: Cybersecurity Controls

34

Domain 4: External Dependency Management

47

Domain 5: Cyber Incident Management and Resilience

51

Additional Resources

Overview for Chief Executive Officers and Boards of Directors

Appendix A: Mapping Baseline Statements to FFIEC IT Examination Handbook

Appendix B: Mapping Cybersecurity Assessment Tool to NIST Cybersecurity Framework

Appendix C: Glossary

June 2015

i

FFIEC Cybersecurity Assessment Tool

User’s Guide

User’s Guide

Overview

In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council1 (FFIEC) developed the Cybersecurity Assessment Tool (Assessment), on behalf of its members, to help institutions identify their risks and determine their cybersecurity maturity.

The content of the Assessment is consistent with the principles of the FFIEC Information Technology Examination Handbook (IT Handbook) and the National Institute of Standards and Technology (NIST) Cybersecurity Framework,2 as well as industry accepted cybersecurity

practices. The Assessment provides institutions with a repeatable and measureable process to inform management of their institution’s risks and cybersecurity preparedness.

The Assessment consists of two parts: Inherent Risk Profile and Cybersecurity Maturity. The

Inherent Risk Profile identifies the institution’s inherent risk before implementing controls. The Cybersecurity Maturity includes domains, assessment factors, components, and individual

declarative statements across five maturity levels to identify specific controls and practices that are in place. While management can determine the institution’s maturity level in each domain,

the Assessment is not designed to identify an overall cybersecurity maturity level.

To complete the Assessment, management first assesses the institution’s inherent risk profile

based on five categories:

Technologies and Connection Types

Delivery Channels

Online/Mobile Products and Technology Services

Organizational Characteristics

External Threats

Management then evaluates the institution’s Cybersecurity Maturity level for each of five

domains:

Cyber Risk Management and Oversight

Threat Intelligence and Collaboration

Cybersecurity Controls

External Dependency Management

Cyber Incident Management and Resilience

1The FFIEC comprises the principals of the following: The Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, Consumer Financial Protection Bureau, and State Liaison Committee.

2A mapping is available in Appendix B: Mapping Cybersecurity Assessment Tool to the NIST Cybersecurity Framework. NIST reviewed and provided input on the mapping to ensure consistency with Framework principles and to highlight the complementary nature of the two resources.

June 2015

1

FFIEC Cybersecurity Assessment Tool

User’s Guide

By reviewing both the institution’s inherent risk profile and maturity levels across the domains,

management can determine whether its maturity levels are appropriate in relation to its risk. If

not, the institution may take action either to reduce the level of risk or to increase the levels of maturity. This process is intended to complement, not replace, an institution’s risk management

process and cybersecurity program.

Background

The Assessment is based on the cybersecurity assessment that the FFIEC members piloted in

2014, which was designed to evaluate community institutions’ preparedness to mitigate cyber risks. NIST defines cybersecurity as “the process of protecting information by preventing, detecting, and responding to attacks.” As part of cybersecurity, institutions should consider

managing internal and external threats and vulnerabilities to protect infrastructure and information assets. The definition builds on information security as defined in FFIEC guidance.

Cyber incidents can have financial, operational, legal, and reputational impact. Recent high- profile cyber attacks demonstrate that cyber incidents can significantly affect capital and earnings. Costs may include forensic investigations, public relations campaigns, legal fees, consumer credit monitoring, and technology changes. As such, cybersecurity needs to be

integrated throughout an institution as part of enterprise-wide governance processes, information security, business continuity, and third-party risk management. For example, an institution’s

cybersecurity policies may be incorporated within the information security program. In addition, cybersecurity roles and processes referred to in the Assessment may be separate roles within the security group (or outsourced) or may be part of broader roles across the institution.

Completing the Assessment

The Assessment is designed to provide a measurable and repeatable process to assess an institution’s level of cybersecurity risk and preparedness. Part one of this Assessment is the

Inherent Risk Profile, which identifies an institution’s inherent risk relevant to cyber risks. Part two is the Cybersecurity Maturity, which determines an institution’s current state of

cybersecurity preparedness represented by maturity levels across five domains. For this Assessment to be an effective risk management tool, an institution may want to complete it periodically and as significant operational and technological changes occur.

Cyber risk programs build upon and align existing information security, business continuity, and disaster recovery programs. The Assessment is intended to be used primarily on an enterprise- wide basis and when introducing new products and services as follows:

Enterprise-wide. Management may review the Inherent Risk Profile and the declarative statements to understand which policies, procedures, processes, and controls are in place enterprise-wide and where gaps may exist. Following this review, management can determine appropriate maturity levels for the institution in each domain or the target state for Cybersecurity Maturity. Management can then develop action plans for achieving the target state.

New products, services, or initiatives. Using the Assessment before launching a new product, service, or initiative can help management understand how these might affect the institution’s inherent risk profile and resulting desired maturity levels.

June 2015

2

FFIEC Cybersecurity Assessment Tool

User’s Guide

Part One: Inherent Risk Profile

Part one of the Assessment identifies the institution’s inherent risk. The Inherent Risk Profile identifies activities, services, and products organized in the following categories:

Technologies and Connection Types. Certain types of connections and technologies may pose a higher inherent risk depending on the complexity and maturity, connections, and nature of the specific technology products or services. This category includes the number of Internet service provider (ISP) and third-party connections, whether systems are hosted internally or outsourced, the number of unsecured connections, the use of wireless access, volume of network devices, end-of-life systems, extent of cloud services, and use of personal devices.

Delivery Channels. Various delivery channels for products and services may pose a higher inherent risk depending on the nature of the specific product or service offered. Inherent risk increases as the variety and number of delivery channels increases. This category addresses whether products and services are available through online and mobile delivery channels and the extent of automated teller machine (ATM) operations.

Online/Mobile Products and Technology Services. Different products and technology services offered by institutions may pose a higher inherent risk depending on the nature of the specific product or service offered. This category includes various payment services, such as debit and credit cards, person-to-person payments, originating automated clearing house (ACH), retail wire transfers, wholesale payments, merchant remote deposit capture, treasury services and clients and trust services, global remittances, correspondent banking, and merchant acquiring activities. This category also includes consideration of whether the institution provides technology services to other organizations.

Organizational Characteristics. This category considers organizational characteristics, such as mergers and acquisitions, number of direct employees and cybersecurity contractors, changes in security staffing, the number of users with privileged access, changes in information technology (IT) environment, locations of business presence, and locations of operations and data centers.

External Threats. The volume and type of attacks (attempted or successful) affect an institution’s inherent risk exposure. This category considers the volume and sophistication of the attacks targeting the institution.

Risk Levels

Risk Levels incorporate the type, volume, and complexity of the institution’s operations and

threats directed at the institution. Inherent risk does not include mitigating controls.

June 2015

3

FFIEC Cybersecurity Assessment Tool

User’s Guide

Select the most appropriate inherent risk level for each activity, service, or product within each category. The levels range from Least Inherent Risk to Most Inherent Risk (Figure 1) and incorporate a wide range of descriptions. The risk levels provide parameters for determining the inherent risk for each category. These parameters are not intended to be rigid but rather instructive to assist with assessing a risk level within each activity, service, or product. For situations where the risk level falls between two levels, management should select the higher risk level.

Figure 1: Inherent Risk Profile Layout

Risk Levels

Activity, Service, or Product

 

 

 

Risk Levels

 

 

Category: Technologies and

 

 

 

 

 

Connection Types

Least

Minimal

Moderate

Significant

Most

Total number of Internet service provider

No connections

Minimal complexity (1

Moderate complexity

Significant complexity

Substantial complexity

(ISP) connections (including branch

 

20 connections)

(21100 connections)

(101200 connections)

(>200 connections)

connections)

 

 

 

 

 

 

 

 

 

 

 

Unsecured external connections, number

None

Few instances of

Several instances of

Significant instances of

Substantial instances of

of connections not users (e.g., file transfer

 

unsecured

unsecured connections

unsecured connections

unsecured connections

protocol (FTP), Telnet, rlogin)

 

connections (15)

(610)

(1125)

(>25)

 

 

 

 

 

 

Wireless network access

No wireless access

Separate access

Guest and corporate

Wireless corporate

Wireless corporate

 

 

points for guest

wireless network access

network access;

network access; all

 

 

wireless and corporate

are logically separated;

significant number of

employees have

 

 

wireless

limited number of users

users and access points

access; substantial

 

 

 

and access points (1

(2511,000 users; 26

number of access

 

 

 

250 users; 125 access

100 access points)

points (>1,000 users;

 

 

 

points)

 

>100 access points)

 

 

 

 

 

 

Determine Inherent Risk Profile

Management can determine the institution’s overall Inherent Risk Profile based on the number of applicable statements in each risk level for all activities (Figure 2). For example, when a majority of activities, products, or services fall within the Moderate Risk Level, management may determine that the institution has a Moderate Inherent Risk Profile. Each category may, however, pose a different level of inherent risk. Therefore, in addition to evaluating the number of instances that an institution selects for a specific risk level, management may also consider evaluating whether the specific category poses additional risk.

Figure 2: Inherent Risk Summary

Risk Levels

Least

Minimal

Moderate

Significant

Most

Number of Statements Selected in Each

Risk Level

Based on Individual Risk Levels

Least

Minimal

Moderate

Significant

Most

Selected, Assign an Inherent Risk Profile

 

 

 

 

 

The following includes definitions of risk levels.

Least Inherent Risk. An institution with a Least Inherent Risk Profile generally has very limited use of technology. It has few computers, applications, systems, and no connections. The variety of products and services are limited. The institution has a small geographic footprint and few employees.

Minimal Inherent Risk. An institution with a Minimal Inherent Risk Profile generally has

limited complexity in terms of the technology it uses. It offers a limited variety of less risky products and services. The institution’s mission-critical systems are outsourced. The institution primarily uses established technologies. It maintains a few types of connections to customers and third parties with limited complexity.

Moderate Inherent Risk. An institution with a Moderate Inherent Risk Profile generally uses technology that may be somewhat complex in terms of volume and sophistication. The

June 2015

4

FFIEC Cybersecurity Assessment Tool

User’s Guide

institution may outsource mission-critical systems and applications and may support elements internally. There is a greater variety of products and services offered through diverse channels.

Significant Inherent Risk. An institution with a Significant Inherent Risk Profile generally uses complex technology in terms of scope and sophistication. The institution offers high- risk products and services that may include emerging technologies. The institution may host a significant number of applications internally. The institution allows either a large number of personal devices or a large variety of device types. The institution maintains a substantial number of connections to customers and third parties. A variety of payment services are offered directly rather than through a third party and may reflect a significant level of transaction volume.

Most Inherent Risk. An institution with a Most Inherent Risk Profile uses extremely complex technologies to deliver myriad products and services. Many of the products and services are at the highest level of risk, including those offered to other organizations. New and emerging technologies are utilized across multiple delivery channels. The institution may outsource some mission-critical systems or applications, but many are hosted internally. The institution maintains a large number of connection types to transfer data with customers and third parties.

Part Two: Cybersecurity Maturity

After determining the Inherent Risk Profile, the institution transitions to the Cybersecurity Maturity part of the Assessment to determine the institution’s maturity level within each of the

following five domains:

Domain 1: Cyber Risk Management and Oversight

Domain 2: Threat Intelligence and Collaboration

Domain 3: Cybersecurity Controls

Domain 4: External Dependency Management

Domain 5: Cyber Incident Management and Resilience

Domains, Assessment Factors, Components, and Declarative Statements

Within each domain are assessment factors and contributing components. Under each component, there are declarative statements describing an activity that supports the assessment factor at that level of maturity. Table 1 provides definitions for each domain and the underlying assessment factors.

June 2015

5

 

FFIEC Cybersecurity Assessment Tool

User’s Guide

 

Table 1: Domains and Assessment Factors Defined

 

 

 

 

 

 

Domains and Assessment Factors Defined

Domain 1

Cyber Risk Management and Oversight

Cyber risk management and oversight addresses the board of directors’ (board’s) oversight and management’s development and implementation of an effective enterprise-wide cybersecurity program with comprehensive policies and procedures for establishing appropriate accountability and oversight.

Assessment Factors

Governance includes oversight, strategies, policies, and IT asset management to implement an effective governance of the cybersecurity program.

Risk Management includes a risk management program, risk assessment process, and audit function to effectively manage risk and assess the effectiveness of key controls.

Resources include staffing, tools, and budgeting processes to ensure the institution’s staff or external resources have knowledge and experience commensurate with the institution’s risk profile.

Training and Culture includes the employee training and customer awareness programs contributing to an organizational culture that emphasizes the mitigation of cybersecurity threats.

Domain 2

Threat Intelligence and Collaboration

Threat intelligence and collaboration includes processes to effectively discover, analyze, and understand cyber threats, with the capability to share information internally and with appropriate third parties.

Assessment Factors

Threat Intelligence refers to the acquisition and analysis of information to identify, track, and predict cyber capabilities, intentions, and activities that offer courses of action to enhance decision making.

Monitoring and Analyzing refers to how an institution monitors threat sources and what analysis may be performed to identify threats that are specific to the institution or to resolve conflicts in the different threat intelligence streams.

Information Sharing encompasses establishing relationships with peers and information-sharing forums and how threat information is communicated to those groups as well as internal stakeholders.

Domain 3

Cybersecurity Controls

Cybersecurity controls are the practices and processes used to protect assets, infrastructure, and information by strengthening the institution’s defensive posture through continuous, automated protection and monitoring.

Assessment Factors

Preventative Controls deter and prevent cyber attacks and include infrastructure management, access management, device and end-point security, and secure coding.

Detective Controls include threat and vulnerability detection, anomalous activity detection, and event detection, may alert the institution to network and system irregularities that indicate an incident has or may occur.

Corrective Controls are utilized to resolve system and software vulnerabilities through patch management and remediation of issues identified during vulnerability scans and penetration testing.

Domain 4

External Dependency Management

External dependency management involves establishing and maintaining a comprehensive program to oversee and manage external connections and third-party relationships with access to the institution’s technology assets and

information.

Assessment Factors

Connections incorporate the identification, monitoring, and management of external connections and data flows to third parties.

Relationship Management includes due diligence, contracts, and ongoing monitoring to help ensure controls complement the institution’s cybersecurity program.

June 2015

6

FFIEC Cybersecurity Assessment Tool

User’s Guide

Domain 5

Cyber Incident Management and Resilience

Cyber incident management includes establishing, identifying, and analyzing cyber events; prioritizing the institution’s containment or mitigation; and escalating information to appropriate stakeholders. Cyber resilience

encompasses both planning and testing to maintain and recover ongoing operations during and following a cyber incident.

Assessment Factors

Incident Resilience Planning & Strategy incorporates resilience planning and testing into existing business continuity and disaster recovery plans to minimize service disruptions and the destruction or corruption of data.

Detection, Response, & Mitigation refers to the steps management takes to identify, prioritize, respond to, and mitigate the effects of internal and external threats and vulnerabilities.

Escalation & Reporting ensures key stakeholders are informed about the impact of cyber incidents, and regulators, law enforcement, and customers are notified as required.

Each maturity level includes a set of declarative statements that describe how the behaviors, practices, and processes of an institution can consistently produce the desired outcomes.

Figure 3: Cybersecurity Maturity Levels

Innovative

Advanced

Intermediate

The Assessment starts at the Baseline maturity level and progresses to the highest maturity, the Innovative level (Figure 3). Table 2 provides definitions for each of the maturity levels, which are cumulative.

Table 2: Maturity Levels Defined

Evolving

Baseline

 

Maturity Levels Defined

Baseline

Baseline maturity is characterized by minimum expectations required by law and regulations or

 

recommended in supervisory guidance. This level includes compliance-driven objectives.

 

Management has reviewed and evaluated guidance.

 

 

Evolving

Evolving maturity is characterized by additional formality of documented procedures and policies

 

that are not already required. Risk-driven objectives are in place. Accountability for cybersecurity is

 

formally assigned and broadened beyond protection of customer information to incorporate

 

information assets and systems.

 

 

Intermediate

Intermediate maturity is characterized by detailed, formal processes. Controls are validated and

 

consistent. Risk-management practices and analysis are integrated into business strategies.

 

 

Advanced

Advanced maturity is characterized by cybersecurity practices and analytics that are integrated

 

across lines of business. Majority of risk-management processes are automated and include

 

continuous process improvement. Accountability for risk decisions by frontline businesses is

 

formally assigned.

 

 

Innovative

Innovative maturity is characterized by driving innovation in people, processes, and technology for

 

the institution and the industry to manage cyber risks. This may entail developing new controls, new

 

tools, or creating new information-sharing groups. Real-time, predictive analytics are tied to

 

automated responses.

 

 

June 2015

7

FFIEC Cybersecurity Assessment Tool

User’s Guide

Completing the Cybersecurity Maturity

Each domain and maturity level has a set of declarative statements organized by assessment factor. To assist the institution’s ability to follow common themes across maturity levels,

statements are categorized by components. The components are groups of similar declarative statements to make the Assessment easier to use (Figure 4).

Figure 4: Cybersecurity Maturity

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Domain

 

Maturity

 

 

 

 

 

Domain 1: Cyber Risk Management and Oversight

 

 

 

 

Level

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Assessment Factor: Governance

Assessment

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Y, N

 

Factor

 

 

 

 

 

 

 

 

 

 

OVERSIGHT

 

Baseline

 

Designated members of management are held accountable by the board or an appropriate board committee for implementing and

 

 

 

 

board or an appropriate board committee at least annually. (FFIEC Information Security Booklet, page 5)

 

 

 

 

 

 

 

 

 

 

managing the information security and business continuity programs. (FFIEC Information Security Booklet, page 3)

 

 

 

 

 

 

 

 

 

 

Information security risks are discussed in management meetings when prompted by highly visible cyber events or regulatory

 

 

 

 

 

 

 

 

 

alerts. (FFIEC Information Security Booklet, page 6)

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Management provides a written report on the overall status of the information security and business continuity programs to the

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

The budgeting process includes information security related expenses and tools. (FFIEC E-Banking Booklet, page 20)

 

 

 

 

 

 

 

 

 

Management considers the risks posed by other critical infrastructures (e.g., telecommunications, energy) to the institution. (FFIEC

 

 

 

 

 

 

Business Continuity Planning Booklet, page J-12)

 

Declarative

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Evolving

 

At least annually, the board or an appropriate board committee reviews and approves the institution’s cybersecurity program. Statement

 

 

 

 

 

 

Management is responsible for ensuring compliance with legal and regulatory requirements related to cybersecurity.

 

 

 

 

 

 

 

 

 

 

Cybersecurity tools and staff are requested through the budget process.

 

 

 

 

Component

 

 

 

 

 

There is a process to formally discuss and estimate potential expenses associated with cybersecurity incidents as part of the

 

 

 

 

 

 

 

 

 

budgeting process.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Management determines which declarative statements best fit the current practices of the

institution. All declarative statements in each maturity level, and previous levels, must be attained and sustained to achieve that domain’s maturity level. While management can determine the institution’s maturity level in each domain, the Assessment is not designed to

identify an overall cybersecurity maturity level.

Management may determine that a declarative statement has been sufficiently sustained based on proven results. Certain declarative statements may not apply to all institutions if the product, service, or technology is not offered or used. Declarative statements that may not be applicable to all institutions are clearly designated and would not affect the determination of the specific maturity level.

Interpreting and Analyzing Assessment Results

Management can review the institution’s Inherent Risk Profile in relation to its Cybersecurity Maturity results for each domain to understand whether they are aligned.

Table 3 depicts the relationship between an institution’s Inherent Risk Profile and its domain

Maturity Levels, as there is no single expected level for an institution. In general, as inherent risk rises, an institution’s maturity levels should increase. An institution’s inherent risk profile and

maturity levels will change over time as threats, vulnerabilities, and operational environments change. Thus, management should consider reevaluating its inherent risk profile and cybersecurity maturity periodically and when planned changes can affect its inherent risk profile (e.g., launching new products or services, new connections).

June 2015

8

FFIEC Cybersecurity Assessment Tool

User’s Guide

Table 3: Risk/Maturity Relationship

 

 

 

 

Inherent Risk Levels

 

 

 

Least

Minimal

Moderate

Significant

Most

for Each

 

Innovative

 

 

 

 

 

Advanced

 

 

 

 

Level

 

 

 

 

 

 

 

 

 

 

 

Maturity

Domain

Intermediate

 

 

 

 

 

 

 

 

 

Cybersecurity

 

Evolving

 

 

 

 

 

Baseline

 

 

 

 

 

 

 

 

 

 

If management determines that the institution’s maturity levels are not appropriate in relation to the inherent risk profile, management should consider reducing inherent risk or developing a strategy to improve the maturity levels. This process includes

determining target maturity levels.

conducting a gap analysis.

prioritizing and planning actions.

implementing changes.

reevaluating over time.

communicating the results.

Management can set target maturity levels for each domain or across domains based on the institution’s business objectives and risk appetite. Management can conduct a gap analysis

between the current and target maturity levels and initiate improvements based on the gaps. Each declarative statement can represent a range of strategies and processes that have enterprise-wide impact. For example, declarative statements not yet attained provide insights for policies,

processes, procedures, and controls that may improve risk management in relation to a specific risk or the institution’s overall cybersecurity preparedness.

Using the maturity levels in each domain, management can identify potential actions that would increase the institution’s overall cybersecurity preparedness. Management can review declarative

statements at maturity levels beyond what the institution has achieved to determine the actions needed to reach the next level and implement changes to address gaps. Management’s periodic

reevaluations of the inherent risk profile and maturity levels may further assist the institution in

maintaining an appropriate level of cybersecurity preparedness. In addition, management may also seek an independent validation, such as by the internal audit function, of the institution’s

Assessment process and findings.

June 2015

9

FFIEC Cybersecurity Assessment Tool

User’s Guide

The Assessment results should be communicated to the chief executive officer (CEO) and board. More information and questions to consider are contained in the “Overview for Chief Executive

Officers and Boards of Directors.”

Resources

In addition to the “Overview for Chief Executive Officers and Boards of Directors,” the FFIEC

has released the following documents to assist institutions with the Cybersecurity Assessment Tool.

Appendix A: Mapping Baseline Statements to FFIEC IT Examination Handbook

Appendix B: Mapping Cybersecurity Assessment Tool to NIST Cybersecurity Framework

Appendix C: Glossary

June 2015

10

 

FFIEC Cybersecurity Assessment Tool

 

 

 

 

 

 

 

Inherent Risk Profile

 

 

 

 

 

 

 

 

 

 

 

 

Inherent Risk Profile

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Category: Technologies and

 

 

 

 

 

Risk Levels

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Connection Types

 

Least

 

Minimal

 

Moderate

 

Significant

 

Most

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Total number of Internet service

No connections

 

Minimal complexity

 

Moderate complexity

 

Significant

 

Substantial complexity

provider (ISP) connections (including

 

 

(120 connections)

 

(21100 connections)

 

complexity (101200

 

(>200 connections)

branch connections)

 

 

 

 

 

 

connections)

 

 

 

 

 

 

 

 

 

 

 

 

Unsecured external connections,

None

 

Few instances of

 

Several instances of

 

Significant instances

 

Substantial instances of

number of connections not users

 

 

unsecured

 

unsecured

 

of unsecured

 

unsecured connections

(e.g., file transfer protocol (FTP),

 

 

connections (15)

 

connections (610)

 

connections (1125)

(>25)

Telnet, rlogin)

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Wireless network access

No wireless access

 

Separate access

 

Guest and corporate

 

Wireless corporate

 

Wireless corporate

 

 

 

 

 

points for guest

 

wireless network

 

network access;

 

network access; all

 

 

 

 

 

wireless and

 

access are logically

 

significant number of

 

employees have access;

 

 

 

 

 

corporate wireless

 

separated; limited

 

users and access

 

substantial number of

 

 

 

 

 

 

 

number of users and

 

points (2511,000

 

access points (>1,000

 

 

 

 

 

 

 

access points (1250

 

users; 26100

 

users; >100 access

 

 

 

 

 

 

 

users; 125 access

 

access points)

 

points)

 

 

 

 

 

 

 

points)

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Personal devices allowed to connect

None

 

Only one device type

 

Multiple device types

 

Multiple device types

 

Any device type used;

to the corporate network

 

 

available; available

 

used; available to

 

used; available to

 

available to >25% of

 

 

 

 

 

to <5% of employees

 

<10% of employees

 

<25% of authorized

 

employees (staff,

 

 

 

 

 

(staff, executives,

 

(staff, executives,

 

employees (staff,

 

executives, managers)

 

 

 

 

 

 

managers) and

 

executives,

 

and board; all

 

 

 

 

 

managers); e-mail

 

 

 

 

 

 

 

 

 

board; e-mail access

 

managers) and

 

applications accessed

 

 

 

 

 

access only

 

 

 

 

 

 

 

 

 

only

 

board; e-mail and

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

some applications

 

 

 

 

 

 

 

 

 

 

 

accessed

 

 

 

 

 

 

 

 

 

 

 

 

Third parties, including number of

No third parties and

 

Limited number of

 

Moderate number of

 

Significant number of

 

Substantial number of

organizations and number of

no individuals from

 

third parties (15)

 

third parties (610)

 

third parties (1125)

 

third parties (>25) and

individuals from vendors and

third parties with

 

and limited number

 

and moderate

 

and significant

 

substantial number of

subcontractors, with access to

access to systems

 

of individuals from

 

number of individuals

 

number of individuals

 

individuals from third

internal systems (e.g., virtual private

 

 

third parties (<50)

 

from third parties

 

from third parties

 

parties (>1,500) with

network, modem, intranet, direct

 

 

with access; low

 

(50500) with

 

(5011,500) with

 

access; high complexity

connection)

 

 

complexity in how

 

access; some

 

access; high level of

 

in how they access

 

 

 

 

 

they access systems

 

complexity in how

 

complexity in terms

 

systems

 

 

 

 

 

 

 

they access systems

 

of how they access

 

 

 

 

 

 

 

 

 

 

 

systems

 

 

 

 

 

 

 

 

 

 

 

 

 

 

June 2015

11

 

FFIEC Cybersecurity Assessment Tool

 

 

 

 

 

 

 

 

 

 

Inherent Risk Profile

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Category: Technologies and

 

 

 

 

 

 

 

 

Risk Levels

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Connection Types

 

 

Least

 

 

Minimal

 

 

Moderate

 

 

Significant

 

 

Most

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Wholesale customers with dedicated

 

None

 

Few dedicated

 

Several dedicated

 

Significant number of

 

Substantial number of

connections

 

 

 

 

connections

 

connections

 

dedicated

 

dedicated connections

 

 

 

 

 

 

 

(between 15)

 

(between 610)

 

connections

(>25)

 

 

 

 

 

 

 

 

 

 

 

 

 

 

(between 1125)

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Internally hosted and developed or

 

No applications

 

Few applications

 

Several applications

 

Significant number of

 

Substantial number of

modified vendor applications

 

 

 

 

(between 15)

 

(between 610)

 

applications

 

applications and

supporting critical activities

 

 

 

 

 

 

 

 

 

 

(between 1125)

 

complexity (>25)

 

 

 

 

 

 

 

 

 

 

 

Internally hosted, vendor-developed

 

Limited applications

 

Few applications (6

 

Several applications

 

Significant number of

 

Substantial number of

applications supporting critical

 

(05)

30)

 

 

(3175)

 

applications (76200)

 

applications and

activities

 

 

 

 

 

 

 

 

 

 

 

 

 

complexity (>200)

 

 

 

 

 

 

 

 

 

 

 

User-developed technologies and

 

No user-developed

 

1100 technologies

 

101500

 

5012,500

 

>2,500 technologies

user computing that support critical

 

technologies

 

 

 

 

technologies

 

technologies

 

 

 

activities (includes Microsoft Excel

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

spreadsheets and Access databases

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

or other user-developed tools)

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

End-of-life (EOL) systems

 

No systems

 

Few systems that are

 

Several systems that

 

A large number of

 

Majority of critical

 

 

 

 

(hardware or

 

at risk of EOL and

 

will reach EOL within

 

systems that support

 

operations dependent

 

 

 

 

software) that are

 

none that support

 

2 years and some

 

critical operations at

 

on systems that have

 

 

 

 

past EOL or at risk of

 

critical operations

 

that support critical

 

EOL or are at risk of

 

reached EOL or will

 

 

 

 

nearing EOL within 2

 

 

 

 

operations

 

reaching EOL in 2

 

reach EOL within the

 

 

 

 

years

 

 

 

 

 

 

 

years

 

next 2 years or an

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

unknown number of

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

systems that have

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

reached EOL

 

 

 

 

 

 

 

 

 

 

 

Open Source Software (OSS)

 

No OSS

 

Limited OSS and

 

Several OSS that

 

Large number of

 

Majority of operations

 

 

 

 

 

 

 

none that support

 

support critical

 

OSS that support

 

dependent on OSS

 

 

 

 

 

 

 

critical operations

 

operations

 

critical operations

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Network devices (e.g., servers,

 

Limited or no network

 

Few devices (250

 

Several devices

 

Significant number of

 

Substantial number of

routers, and firewalls; include

 

devices (<250)

1,500)

 

 

(1,50125,000)

 

devices (25,001

 

devices (>50,000)

physical and virtual)

 

 

 

 

 

 

 

 

 

50,000)

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Third-party service providers storing

 

No third parties that

 

125 third parties

 

26100 third parties

 

101200 third parties

 

>200 third parties that

and/or processing information that

 

support critical

 

that support critical

 

that support critical

 

that support critical

 

support critical activities;

support critical activities (Do not have

 

activities

 

activities

 

activities

 

activities; 1 or more

 

1 or more are foreign-

access to internal systems, but the

 

 

 

 

 

 

 

 

 

 

are foreign-based

 

based

institution relies on their services)

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

June 2015

12

 

FFIEC Cybersecurity Assessment Tool

 

 

 

 

 

 

 

 

 

 

Inherent Risk Profile

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Category: Technologies and

 

 

 

 

 

 

 

 

Risk Levels

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Connection Types

 

 

Least

 

 

Minimal

 

 

Moderate

 

 

Significant

 

 

Most

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Cloud computing services hosted

 

No cloud providers

 

Few cloud providers;

 

Several cloud

 

Significant number of

 

Substantial number of

externally to support critical activities

 

 

 

 

private cloud only (1

 

providers (47)

 

cloud providers (8

 

cloud providers (>10);

 

 

 

 

 

 

3)

 

 

 

 

 

10); cloud-provider

 

cloud-provider locations

 

 

 

 

 

 

 

 

 

 

 

 

 

locations used

 

used include

 

 

 

 

 

 

 

 

 

 

 

 

 

include international;

 

international; use of

 

 

 

 

 

 

 

 

 

 

 

 

 

use of public cloud

 

public cloud

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Category: Delivery Channels

Risk Levels

 

Least

 

 

Minimal

 

 

Moderate

 

 

Significant

 

 

Most

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Online presence (customer)

No Web-facing

Serves as an

Serves as a delivery

Serves as a delivery

Internet applications

 

 

 

 

 

applications or social

informational Web

channel for retail

channel for

serve as a channel to

 

 

 

media presence

site or social media

online banking; may

wholesale

wholesale customers to

 

 

 

 

page (e.g., provides

communicate to

customers; may

manage large value

 

 

 

 

branch and ATM

customers through

include retail account

assets

 

 

 

 

locations and

social media

origination

 

 

 

 

 

marketing materials)

 

 

 

 

 

 

 

 

 

 

 

 

 

Mobile presence

None

SMS text alerts or

Mobile banking

Mobile banking

Full functionality,

 

 

 

 

notices only;

application for retail

application includes

including originating new

 

 

 

 

browser-based

customers (e.g., bill

external transfers

transactions (e.g., ACH,

 

 

 

 

access

payment, mobile

(e.g., for corporate

wire)

 

 

 

 

 

check capture,

clients, recurring

 

 

 

 

 

 

internal transfers

external transactions)

 

 

 

 

 

 

only)

 

 

 

 

 

 

 

 

 

 

 

 

Automated Teller Machines (ATM)

No ATM services

ATM services offered

ATM services

ATM services

ATM services managed

 

 

(Operation)

 

but no owned

managed by a third

managed internally;

internally; ATM services

 

 

 

 

machines

party; ATMs at local

ATMs at U.S.

provided to other

 

 

 

 

 

and regional

branches and retail

financial institutions;

 

 

 

 

 

branches; cash

locations; cash

ATMs at domestic and

 

 

 

 

 

reload services

reload services

international branches

 

 

 

 

 

outsourced

outsourced

and retail locations;

 

 

 

 

 

 

 

cash reload services

 

 

 

 

 

 

 

managed internally

 

 

 

 

 

 

 

 

 

June 2015

13

 

FFIEC Cybersecurity Assessment Tool

Inherent Risk Profile

 

 

 

 

 

 

 

 

Category: Online/Mobile Products and Technology Services

Risk Levels

 

Least

 

 

Minimal

 

 

Moderate

 

 

Significant

 

 

Most

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Issue debit or credit cards

Do not issue debit or

Issue debit and/or

Issue debit or credit

Issue debit or credit

Issue debit or credit

 

 

 

 

 

credit cards

credit cards through

cards through a third

cards directly;

cards directly; >100,000

 

 

 

 

a third party; <10,000

party; between

between 50,000

cards outstanding; issue

 

 

 

 

cards outstanding

10,00050,000 cards

100,000 cards

cards on behalf of other

 

 

 

 

 

outstanding

outstanding

financial institutions

 

 

 

 

 

 

 

 

 

 

Prepaid cards

Do not issue prepaid

Issue prepaid cards

Issue prepaid cards

Issue prepaid cards

Issue prepaid cards

 

 

 

cards

through a third party;

through a third party;

through a third party;

internally, through a

 

 

 

 

<5,000 cards

5,00010,000 cards

10,00120,000 cards

third party, or on behalf

 

 

 

 

outstanding

outstanding

outstanding

of other financial

 

 

 

 

 

 

 

institutions; >20,000

 

 

 

 

 

 

 

cards outstanding

 

 

 

 

 

 

 

 

 

 

Emerging payments technologies

Do not accept or use

Indirect acceptance

Direct acceptance or

Direct acceptance or

Direct acceptance of

 

 

(e.g., digital wallets, mobile wallets)

emerging payments

or use of emerging

use of emerging

use of emerging

emerging payments

 

 

 

technologies

payments

payments

payments

technologies; moderate

 

 

 

 

technologies

technologies; partner

technologies; small

transaction volume

 

 

 

 

(customer use may

or co-brand with non-

transaction volume;

and/or foreign payments

 

 

 

 

affect deposit or

bank providers;

no foreign payments

 

 

 

 

 

credit account)

limited transaction

 

 

 

 

 

 

 

volume

 

 

 

 

 

 

 

 

 

 

 

 

Person-to-person payments (P2P)

Not offered

Customers allowed

Customers allowed to

Customers allowed

Customers allowed to

 

 

 

 

to originate

originate payments;

to originate

request payment or to

 

 

 

 

payments; used by

used by 1,0005,000

payments; used by

originate payment; used

 

 

 

 

<1,000 customers or

customers or monthly

5,00110,000

by >10,000 customers

 

 

 

 

monthly transaction

transaction volume is

customers or monthly

or monthly transaction

 

 

 

 

volume is <50,000

between 50,000

transaction volume is

volume >1 million

 

 

 

 

 

100,000

between 100,001

 

 

 

 

 

 

 

1 million

 

 

 

 

 

 

 

 

 

 

 

Originating ACH payments

No ACH origination

Originate ACH

Originate ACH debits

Sponsor third-party

Sponsor nested third-

 

 

 

 

credits; daily volume

and credits; daily

payment processor;

party payment

 

 

 

 

<3% of total assets

volume is 3%5% of

originate ACH debits

processors; originate

 

 

 

 

 

total assets

and credits with daily

debits and credits with

 

 

 

 

 

 

volume 6%25% of

daily volume that is

 

 

 

 

 

 

total assets

>25% of total assets

 

 

 

 

 

 

 

 

 

 

Originating wholesale payments (e.g.,

Do not originate

Daily originated

Daily originated

Daily originated

Daily originated

 

 

CHIPS)

wholesale payments

wholesale payment

wholesale payment

wholesale payment

wholesale payment

 

 

 

 

volume <3% of total

volume 3%5% of

volume 6%25% of

volume >25% of total

 

 

 

 

assets

total assets

total assets

assets

 

 

 

 

 

 

 

 

 

June 2015

14

 

FFIEC Cybersecurity Assessment Tool

 

 

 

 

 

 

 

 

 

 

Inherent Risk Profile

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Category: Online/Mobile Products

 

 

 

 

 

 

 

 

Risk Levels

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

and Technology Services

 

 

Least

 

 

Minimal

 

 

Moderate

 

 

Significant

 

 

Most

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Wire transfers

 

Not offered

 

In person wire

 

In person, phone,

 

Multiple request

 

Multiple request

 

 

 

 

 

 

 

requests only;

 

and fax wire

 

channels (e.g.,

 

channels (e.g., online,

 

 

 

 

 

 

 

domestic wires only;

 

requests; domestic

 

online, text, e-mail,

 

text, e-mail, fax, and

 

 

 

 

 

 

 

daily wire volume

 

daily wire volume

 

fax, and phone); daily

 

phone); daily domestic

 

 

 

 

 

 

 

<3% of total assets

 

3%5% of total

 

domestic wire

 

wire volume >25% of

 

 

 

 

 

 

 

 

 

 

assets; international

 

volume 6%25% of

 

total assets; daily

 

 

 

 

 

 

 

 

 

 

daily wire volume

 

total assets; daily

 

international wire

 

 

 

 

 

 

 

 

 

 

<3% of total assets

 

international wire

 

volume >10% of total

 

 

 

 

 

 

 

 

 

 

 

 

 

volume 3%10% of

 

assets

 

 

 

 

 

 

 

 

 

 

 

 

 

total assets

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Merchant remote deposit capture

 

Do not offer Merchant

 

<100 merchant

 

100500 merchant

 

5011,000 merchant

 

>1,000 merchant clients;

(RDC)

 

RDC

 

clients; daily volume

 

clients; daily volume

 

clients; daily volume

 

daily volume of

 

 

 

 

 

 

 

of transactions is

 

of transactions is

 

of transactions is

 

transactions is >25% of

 

 

 

 

 

 

 

<3% of total assets

 

3%5% of total

 

6%25% of total

 

total assets

 

 

 

 

 

 

 

 

 

 

assets

 

assets

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Global remittances

 

Do not offer global

 

Gross daily

 

Gross daily

 

Gross daily

 

Gross daily transaction

 

 

 

 

remittances

 

transaction volume is

 

transaction volume is

 

transaction volume is

 

volume is >25% of total

 

 

 

 

 

 

 

<3% of total assets

 

3%5% of total

 

6%25% of total

 

assets

 

 

 

 

 

 

 

 

 

 

assets

 

assets

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Treasury services and clients

 

No treasury

 

Limited services

 

Services offered

 

Services offered

 

Multiple services offered

 

 

 

 

management

 

offered; number of

 

include lockbox, ACH

 

include accounts

 

including currency

 

 

 

 

services are offered

 

clients is <1,000

 

origination, and

 

receivable solutions

 

services, online

 

 

 

 

 

 

 

 

 

 

remote deposit

 

and liquidity

 

investing, and

 

 

 

 

 

 

 

 

 

 

capture; number of

 

management;

 

investment sweep

 

 

 

 

 

 

 

 

 

 

clients is between

 

number of clients is

 

accounts; number of

 

 

 

 

 

 

 

 

 

 

1,00010,000

 

between 10,001

 

clients is >20,000

 

 

 

 

 

 

 

 

 

 

 

 

20,000

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Trust services

 

Trust services are not

 

Trust services are

 

Trust services

 

Trust services

 

Trust services provided

 

 

 

 

offered

 

offered through a

 

provided directly;

 

provided directly;

 

directly; assets under

 

 

 

 

 

 

 

third-party provider;

 

portfolio of assets

 

assets under

 

management total

 

 

 

 

 

 

 

assets under

 

under management

 

management total

 

>$10 billion

 

 

 

 

 

 

 

management total

 

total $500 million

 

$1 billion$10 billion

 

 

 

 

 

 

 

 

 

 

<$500 million

 

$999 million

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Act as a correspondent bank

 

Do not act as a

 

Act as a

 

Act as a

 

Act as a

 

Act as a correspondent

(Interbank transfers)

 

correspondent bank

 

correspondent bank

 

correspondent bank

 

correspondent bank

 

bank for >500

 

 

 

 

 

 

 

for <100 institutions

 

for 100250

 

for 251500

 

institutions

 

 

 

 

 

 

 

 

 

 

institutions

 

institutions

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

June 2015

15

 

FFIEC Cybersecurity Assessment Tool

 

 

 

 

 

 

 

 

 

 

Inherent Risk Profile

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Category: Online/Mobile Products

 

 

 

 

 

 

 

 

Risk Levels

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

and Technology Services

 

 

Least

 

 

Minimal

 

 

Moderate

 

 

Significant

 

 

Most

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Merchant acquirer (sponsor

 

Do not act as a

 

Act as a merchant

 

Act as a merchant

 

Act as a merchant

 

Act as a merchant

merchants or card processor activity

 

merchant acquirer

 

acquirer; <1,000

 

acquirer; outsource

 

acquirer and card

 

acquirer and card

into the payment system)

 

 

 

 

merchants

 

card payment

 

payment processor;

 

payment processor;

 

 

 

 

 

 

 

 

 

 

processing; 1,000

 

10,001100,000

 

>100,000 merchants

 

 

 

 

 

 

 

 

 

 

10,000 merchants

 

merchants

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Host IT services for other

 

Do not provide IT

 

Host or provide IT

 

Host or provide IT

 

Host or provide IT

 

Host or provide IT

organizations (either through joint

 

services for other

 

services for affiliated

 

services for up to 25

 

services for 2650

 

services for >50

systems or administrative support)

 

organizations

 

organizations

 

unaffiliated

 

unaffiliated

 

unaffiliated

 

 

 

 

 

 

 

 

 

 

organizations

 

organizations

 

organizations

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Category: Organizational Characteristics

Risk Levels

 

Least

 

 

Minimal

 

 

Moderate

 

 

Significant

 

 

Most

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Mergers and acquisitions (including

None planned

Open to initiating

In discussions with

A sale or acquisition

Multiple ongoing

 

 

 

 

divestitures and joint ventures)

 

discussions or

at least 1 party

has been publicly

integrations of

 

 

 

 

actively seeking a

 

announced within the

acquisitions are in

 

 

 

 

merger or acquisition

 

past year, in

process

 

 

 

 

 

 

negotiations with 1 or

 

 

 

 

 

 

 

more parties

 

 

 

 

 

 

 

 

 

 

 

Direct employees (including

Number of

Number of

Number of

Number of employees

Number of employees is

 

 

information technology and

employees totals <50

employees totals 50

employees totals

totals 10,00150,000

>50,000

 

 

cybersecurity contractors)

 

2,000

2,00110,000

 

 

 

 

 

 

 

 

 

 

 

 

Changes in IT and information

Key positions filled;

Staff vacancies exist

Some turnover in

Frequent turnover in

Vacancies in senior or

 

 

security staffing

low or no turnover of

for non-critical roles

key or senior

key staff or senior

key positions for long

 

 

 

personnel

 

positions

positions

periods; high level of

 

 

 

 

 

 

 

employee turnover in IT

 

 

 

 

 

 

 

or information security

 

 

 

 

 

 

 

 

 

 

Privileged access (Administrators

Limited number of

Level of turnover in

Level of turnover in

High reliance on

High employee turnover

 

 

network, database, applications,

administrators;

administrators does

administrators

external

in network

 

 

systems, etc.)

limited or no external

not affect operations

affects operations;

administrators;

administrators; many or

 

 

 

administrators

or activities; may

number of

number of

most administrators are

 

 

 

 

utilize some external

administrators for

administrators is not

external (contractors or

 

 

 

 

administrators

individual systems or

sufficient to support

vendors); experience in

 

 

 

 

 

applications exceeds

level or pace of

network administration

 

 

 

 

 

what is necessary

change

is limited

 

 

 

 

 

 

 

 

 

June 2015

16

 

FFIEC Cybersecurity Assessment Tool

Inherent Risk Profile

 

 

 

 

 

 

 

 

Category: Organizational Characteristics

Risk Levels

 

Least

 

 

Minimal

 

 

Moderate

 

 

Significant

 

 

Most

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Changes in IT environment (e.g.,

 

Stable IT

 

Infrequent or minimal

 

Frequent adoption of

Volume of significant

 

Substantial change in

 

 

 

 

 

 

 

 

network, infrastructure, critical

 

environment

 

changes in the IT

 

new technologies

changes is high

 

outsourced provider(s)

 

 

applications, technologies supporting

 

 

 

 

environment

 

 

 

 

 

 

 

of critical IT services;

 

 

new products or services)

 

 

 

 

 

 

 

 

 

 

 

 

 

large and complex

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

changes to the

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

environment occur

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

frequently

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Locations of branches/business

 

1 state

 

1 region

 

1 country

120 countries

 

>20 countries

 

 

presence

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Locations of operations/data centers

 

1 state

 

1 region

 

1 country

110 countries

 

>10 countries

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Risk Levels

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Category: External Threats

 

 

Least

 

 

Minimal

 

 

Moderate

 

 

Significant

 

 

Most

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Attempted cyber attacks

 

No attempted attacks

 

Few attempts

 

Several attempts

 

Significant number of

 

Substantial number of

 

 

 

 

 

 

or reconnaissance

 

monthly (<100); may

 

monthly (100500);

 

attempts monthly

 

attempts monthly

 

 

 

 

 

 

 

 

 

have had generic

 

phishing campaigns

 

(501100,000); spear

 

(>100,000); persistent

 

 

 

 

 

 

 

 

 

phishing campaigns

 

targeting employees

 

phishing campaigns

 

attempts to attack senior

 

 

 

 

 

 

 

 

 

received by

 

or customers at the

 

targeting high net

 

management and/or

 

 

 

 

 

 

 

 

 

employees and

 

institution or third

 

worth customers and

 

network administrators;

 

 

 

 

 

 

 

 

 

customers

 

parties supporting

 

employees at the

 

frequently targeted for

 

 

 

 

 

 

 

 

 

 

 

 

critical activities; may

 

institution or third

 

DDoS attacks

 

 

 

 

 

 

 

 

 

 

 

 

have experienced an

 

parties supporting

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

attempted Distributed

 

critical activities;

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Denial of Service

 

Institution specifically

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

(DDoS) attack within

 

is named in threat

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

the last year

 

reports; may have

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

experienced multiple

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

attempted DDoS

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

attacks within the last

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

year

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

June 2015

17

FFIEC Cybersecurity Assessment Tool

 

 

 

 

 

Inherent Risk Profile

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Risk Levels

 

 

 

 

 

 

 

 

 

 

Total

 

Least

Minimal

 

Moderate

Significant

Most

 

 

 

 

 

 

 

 

Number of Statements Selected in

 

 

 

 

 

 

 

Each Risk Level

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Based on Individual Risk Levels

 

Least

Minimal

 

Moderate

Significant

Most

Selected, Assign an Inherent Risk

 

 

 

 

 

 

 

Profile

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

June 2015

18

FFIEC Cybersecurity Assessment Tool

Cybersecurity Maturity: Domain 1

 

 

Cybersecurity Maturity

Domain 1: Cyber Risk Management and Oversight

OVERSIGHT

 

 

Assessment Factor: Governance

 

Y, N

 

 

 

Baseline

 

Designated members of management are held accountable by the board

 

 

or an appropriate board committee for implementing and managing the

 

 

information security and business continuity programs. (FFIEC

 

 

Information Security Booklet, page 3)

 

 

Information security risks are discussed in management meetings when

 

 

prompted by highly visible cyber events or regulatory alerts. (FFIEC

 

 

Information Security Booklet, page 6)

 

 

Management provides a written report on the overall status of the

 

 

information security and business continuity programs to the board or an

 

 

appropriate board committee at least annually. (FFIEC Information

 

 

Security Booklet, page 5)

 

 

The budgeting process includes information security related expenses

 

 

and tools. (FFIEC E-Banking Booklet, page 20)

 

 

Management considers the risks posed by other critical infrastructures

 

 

(e.g., telecommunications, energy) to the institution. (FFIEC Business

 

 

Continuity Planning Booklet, page J-12)

 

 

 

Evolving

 

At least annually, the board or an appropriate board committee reviews

 

 

and approves the institution’s cybersecurity program.

 

 

Management is responsible for ensuring compliance with legal and

 

 

regulatory requirements related to cybersecurity.

 

 

Cybersecurity tools and staff are requested through the budget process.

 

 

There is a process to formally discuss and estimate potential expenses

 

 

associated with cybersecurity incidents as part of the budgeting process.

 

 

 

Intermediate

 

The board or an appropriate board committee has cybersecurity

 

 

expertise or engages experts to assist with oversight responsibilities.

 

 

The standard board meeting package includes reports and metrics that

 

 

go beyond events and incidents to address threat intelligence trends and

 

 

the institution’s security posture.

 

 

The institution has a cyber risk appetite statement approved by the board

 

 

or an appropriate board committee.

 

 

Cyber risks that exceed the risk appetite are escalated to management.

 

 

The board or an appropriate board committee ensures management’s

June 2015

19

FFIEC Cybersecurity Assessment Tool

Cybersecurity Maturity: Domain 1

 

 

annual cybersecurity self-assessment evaluates the institution’s ability to meet its cyber risk management standards.

 

 

The board or an appropriate board committee reviews and approves

 

 

management’s prioritization and resource allocation decisions based on

 

 

the results of the cyber assessments.

 

 

The board or an appropriate board committee ensures management

 

 

takes appropriate actions to address changing cyber risks or significant

 

 

cybersecurity issues.

 

 

The budget process for requesting additional cybersecurity staff and

 

 

tools is integrated into business units’ budget processes.

 

 

 

 

Advanced

The board or board committee approved cyber risk appetite statement is

 

 

part of the enterprise-wide risk appetite statement.

 

 

Management has a formal process to continuously improve cybersecurity

 

 

oversight.

 

 

The budget process for requesting additional cybersecurity staff and

 

 

tools maps current resources and tools to the cybersecurity strategy.

 

 

Management and the board or an appropriate board committee hold

 

 

business units accountable for effectively managing all cyber risks

 

 

associated with their activities.

 

 

Management identifies root cause(s) when cyber attacks result in

 

 

material loss.

 

 

The board or an appropriate board committee ensures that

 

 

management’s actions consider the cyber risks that the institution poses

 

 

to the financial sector.

 

 

 

 

Innovative

The board or an appropriate board committee discusses ways for

 

 

management to develop cybersecurity improvements that may be

 

 

adopted sector-wide.

 

 

The board or an appropriate board committee verifies that management’s

 

 

actions consider the cyber risks that the institution poses to other critical

 

 

infrastructures (e.g., telecommunications, energy).

 

 

 

June 2015

20

FFIEC Cybersecurity Assessment Tool

Cybersecurity Maturity: Domain 1

 

 

STRATEGY/ POLICIES

Baseline

 

The institution has an information security strategy that integrates

 

 

technology, policies, procedures, and training to mitigate risk. (FFIEC

 

 

Information Security Booklet, page 3)

 

 

The institution has policies commensurate with its risk and complexity

 

 

that address the concepts of information technology risk management.

 

 

(FFIEC Information Security Booklet, page, 16)

 

 

The institution has policies commensurate with its risk and complexity

 

 

that address the concepts of threat information sharing. (FFIEC E-

 

 

Banking Booklet, page 28)

 

 

The institution has board-approved policies commensurate with its risk

 

 

and complexity that address information security. (FFIEC Information

 

 

Security Booklet, page 16)

 

 

The institution has policies commensurate with its risk and complexity

 

 

that address the concepts of external dependency or third-party

 

 

management. (FFIEC Outsourcing Booklet, page 2)

 

 

The institution has policies commensurate with its risk and complexity

 

 

that address the concepts of incident response and resilience. (FFIEC

 

 

Information Security Booklet, page 83)

 

 

All elements of the information security program are coordinated

 

 

enterprise-wide. (FFIEC Information Security Booklet, page 7)

 

 

 

Evolving

 

The institution augmented its information security strategy to incorporate

 

 

cybersecurity and resilience.

 

 

The institution has a formal cybersecurity program that is based on

 

 

technology and security industry standards or benchmarks.

 

 

A formal process is in place to update policies as the institution’s inherent

 

 

risk profile changes.

 

 

 

Intermediate

 

The institution has a comprehensive set of policies commensurate with

 

 

its risk and complexity that address the concepts of threat intelligence.

 

 

Management periodically reviews the cybersecurity strategy to address

 

 

evolving cyber threats and changes to the institution’s inherent risk

 

 

profile.

 

 

The cybersecurity strategy is incorporated into, or conceptually fits within,

 

 

the institution’s enterprise-wide risk management strategy.

 

 

Management links strategic cybersecurity objectives to tactical goals.

 

 

A formal process is in place to cross-reference and simultaneously

 

 

update all policies related to cyber risks across business lines.

 

 

 

June 2015

21

 

 

FFIEC Cybersecurity Assessment Tool

Cybersecurity Maturity: Domain 1

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Advanced

 

The cybersecurity strategy outlines the institution’s future state of

 

 

 

 

 

cybersecurity with short-term and long-term perspectives.

 

 

 

 

 

Industry-recognized cybersecurity standards are used as sources during

 

 

 

 

 

the analysis of cybersecurity program gaps.

 

 

 

 

 

The cybersecurity strategy identifies and communicates the institution’s

 

 

 

 

 

role as a component of critical infrastructure in the financial services

 

 

 

 

 

industry.

 

 

 

 

 

 

The risk appetite is informed by the institution’s role in critical

 

 

 

 

 

infrastructure.

 

 

 

 

 

 

Management is continuously improving the existing cybersecurity

 

 

 

 

 

program to adapt as the desired cybersecurity target state changes.

 

 

 

 

 

 

 

 

 

Innovative

 

The cybersecurity strategy identifies and communicates the institution’s

 

 

 

 

 

role as it relates to other critical infrastructures.

 

 

 

 

 

 

 

 

MANAGEMENT

 

Baseline

 

An inventory of organizational assets (e.g., hardware, software, data, and

 

 

 

 

 

 

 

 

 

systems hosted externally) is maintained. (FFIEC Information Security

 

 

 

 

 

Booklet, page 9)

 

 

 

 

 

 

Organizational assets (e.g., hardware, systems, data, and applications)

 

 

 

 

 

are prioritized for protection based on the data classification and

 

ASSET

 

 

 

business value. (FFIEC Information Security Booklet, page 12)

 

 

 

 

Management assigns accountability for maintaining an inventory of

 

 

 

 

 

 

IT

 

 

 

organizational assets. (FFIEC Information Security Booklet, page 9)

 

 

 

 

 

 

 

 

 

 

 

A change management process is in place to request and approve

 

 

 

 

 

changes to systems configurations, hardware, software, applications,

 

 

 

 

 

and security tools. (FFIEC Information Security Booklet, page 56)

 

 

 

 

 

 

 

 

 

Evolving

 

The asset inventory, including identification of critical assets, is updated

 

 

 

 

 

at least annually to address new, relocated, re-purposed, and sunset

 

 

 

 

 

assets.

 

 

 

 

 

 

The institution has a documented asset life-cycle process that considers

 

 

 

 

 

whether assets to be acquired have appropriate security safeguards.

 

 

 

 

 

The institution proactively manages system EOL (e.g., replacement) to

 

 

 

 

 

limit security risks.

 

 

 

 

 

 

Changes are formally approved by an individual or committee with

 

 

 

 

 

appropriate authority and with separation of duties.

 

 

 

 

 

 

 

June 2015

22

 

FFIEC Cybersecurity Assessment Tool

Cybersecurity Maturity: Domain 1

 

 

 

 

 

 

 

 

 

 

 

 

Intermediate

 

Baseline configurations cannot be altered without a formal change

 

 

 

 

request, documented approval, and an assessment of security

 

 

 

 

implications.

 

 

 

 

 

A formal IT change management process requires cybersecurity risk to

 

 

 

 

be evaluated during the analysis, approval, testing, and reporting of

 

 

 

 

changes.

 

 

 

 

 

 

 

 

Advanced

 

Supply chain risk is reviewed before the acquisition of mission-critical

 

 

 

 

information systems including system components.

 

 

 

 

Automated tools enable tracking, updating, asset prioritizing, and custom

 

 

 

 

reporting of the asset inventory.

 

 

 

 

 

Automated processes are in place to detect and block unauthorized

 

 

 

 

changes to software and hardware.

 

 

 

 

 

The change management system uses thresholds to determine when a

 

 

 

 

risk assessment of the impact of the change is required.

 

 

 

 

 

 

 

 

Innovative

 

A formal change management function governs decentralized or highly

 

 

 

 

distributed change requests and identifies and measures security risks

 

 

 

 

that may cause increased exposure to cyber attack.

 

 

 

 

Comprehensive automated enterprise tools are implemented to detect

 

 

 

 

and block unauthorized changes to software and hardware.

 

 

 

 

 

 

 

 

 

Assessment Factor: Risk Management

 

 

 

 

 

 

MANAGEMENT

PROGRAM

Baseline

 

An information security and business continuity risk management

 

 

 

 

 

 

 

function(s) exists within the institution. (FFIEC Information Security

 

 

 

 

Booklet, page 68)

 

 

 

 

 

 

 

 

Evolving

 

The risk management program incorporates cyber risk identification,

 

 

 

 

measurement, mitigation, monitoring, and reporting.

RISK

 

 

 

Management reviews and uses the results of audits to improve existing

 

 

 

cybersecurity policies, procedures, and controls.

 

 

 

 

 

 

 

 

Management monitors moderate and high residual risk issues from the

 

 

 

 

cybersecurity risk assessment until items are addressed.

 

 

 

 

 

 

June 2015

23

FFIEC Cybersecurity Assessment Tool

Cybersecurity Maturity: Domain 1

 

 

 

 

 

 

 

 

 

Intermediate

 

The cybersecurity function has a clear reporting line that does not

 

 

 

present a conflict of interest.

 

 

 

 

The risk management program specifically addresses cyber risks beyond

 

 

 

the boundaries of the technological impacts (e.g., financial, strategic,

 

 

 

regulatory, compliance).

 

 

 

 

Benchmarks or target performance metrics have been established for

 

 

 

showing improvements or regressions of the security posture over time.

 

 

 

Management uses the results of independent audits and reviews to

 

 

 

improve cybersecurity.

 

 

 

 

There is a process to analyze and assign potential losses and related

 

 

 

expenses, by cost center, associated with cybersecurity incidents.

 

 

 

 

 

Advanced

 

Cybersecurity metrics are used to facilitate strategic decision-making and

 

 

 

funding in areas of need.

 

 

 

 

Independent risk management sets and monitors cyber-related risk limits

 

 

 

for business units.

 

 

 

 

Independent risk management staff escalates to management and the

 

 

 

board or an appropriate board committee significant discrepancies from

 

 

 

business unit’s assessments of cyber-related risk.

 

 

 

A process is in place to analyze the financial impact cyber incidents have

 

 

 

on the institution’s capital.

 

 

 

 

The cyber risk data aggregation and real-time reporting capabilities

 

 

 

support the institution’s ongoing reporting needs, particularly during

 

 

 

cyber incidents.

 

 

 

 

 

 

Innovative

 

The risk management function identifies and analyzes commonalities in

 

 

 

cyber events that occur both at the institution and across other sectors to

 

 

 

enable more predictive risk management.

 

 

 

A process is in place to analyze the financial impact that a cyber incident

 

 

 

at the institution may have across the financial sector.

 

 

 

 

 

June 2015

24

FFIEC Cybersecurity Assessment Tool

Cybersecurity Maturity: Domain 1

 

 

RISK ASSESSMENT

Baseline

 

A risk assessment focused on safeguarding customer information

 

 

identifies reasonable and foreseeable internal and external threats, the

 

 

likelihood and potential damage of threats, and the sufficiency of policies,

 

 

procedures, and customer information systems. (FFIEC Information

 

 

Security Booklet, page 8)

 

 

The risk assessment identifies internet-based systems and high-risk

 

 

transactions that warrant additional authentication controls. (FFIEC

 

 

Information Security Booklet, page 12)

 

 

The risk assessment is updated to address new technologies, products,

 

 

services, and connections before deployment. (FFIEC Information

 

 

Security Booklet, page 13)

 

 

 

Evolving

 

Risk assessments are used to identify the cybersecurity risks stemming

 

 

from new products, services, or relationships.

 

 

The focus of the risk assessment has expanded beyond customer

 

 

information to address all information assets.

 

 

The risk assessment considers the risk of using EOL software and

 

 

hardware components.

 

 

 

Intermediate

 

The risk assessment is adjusted to consider widely known risks or risk

 

 

management practices.

 

 

 

Advanced

 

An enterprise-wide risk management function incorporates cyber threat

 

 

analysis and specific risk exposure as part of the enterprise risk

 

 

assessment.

 

 

 

Innovative

 

The risk assessment is updated in real time as changes to the risk profile

 

 

occur, new applicable standards are released or updated, and new

 

 

exposures are anticipated.

 

 

The institution uses information from risk assessments to predict threats

 

 

and drive real-time responses.

 

 

Advanced or automated analytics offer predictive information and real-

 

 

time risk metrics.

 

 

 

June 2015

25

FFIEC Cybersecurity Assessment Tool

Cybersecurity Maturity: Domain 1

 

 

AUDIT

Baseline

 

Independent audit or review evaluates policies, procedures, and controls

 

 

across the institution for significant risks and control issues associated

 

 

with the institution's operations, including risks in new products, emerging

 

 

technologies, and information systems. (FFIEC Audit Booklet, page 4)

 

 

The independent audit function validates controls related to the storage or

 

 

transmission of confidential data. (FFIEC Audit Booklet, page 1)

 

 

Logging practices are independently reviewed periodically to ensure

 

 

appropriate log management (e.g., access controls, retention, and

 

 

maintenance). (FFIEC Operations Booklet, page 29)

 

 

Issues and corrective actions from internal audits and independent

 

 

testing/assessments are formally tracked to ensure procedures and

 

 

control lapses are resolved in a timely manner. (FFIEC Information

 

 

Security Booklet, page 6)

 

 

 

Evolving

 

The independent audit function validates that the risk management

 

 

function is commensurate with the institution’s risk and complexity.

 

 

The independent audit function validates that the institution’s threat

 

 

information sharing is commensurate with the institution’s risk and

 

 

complexity.

 

 

The independent audit function validates that the institution’s

 

 

cybersecurity controls function is commensurate with the institution’s risk

 

 

and complexity.

 

 

The independent audit function validates that the institution’s third-party

 

 

relationship management is commensurate with the institution’s risk and

 

 

complexity.

 

 

The independent audit function validates that the institution’s incident

 

 

response program and resilience are commensurate with the institution’s

 

 

risk and complexity.

 

 

 

Intermediate

 

A formal process is in place for the independent audit function to update

 

 

its procedures based on changes to the institution’s inherent risk profile.

 

 

The independent audit function validates that the institution’s threat

 

 

intelligence and collaboration are commensurate with the institution’s risk

 

 

and complexity.

 

 

The independent audit function regularly reviews management’s cyber

 

 

risk appetite statement.

 

 

Independent audits or reviews are used to identify gaps in existing

 

 

security capabilities and expertise.

 

 

 

June 2015

26

 

 

FFIEC Cybersecurity Assessment Tool

Cybersecurity Maturity: Domain 1

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Advanced

 

A formal process is in place for the independent audit function to update

 

 

 

 

 

its procedures based on changes to the evolving threat landscape across

 

 

 

 

 

the sector.

 

 

 

 

 

 

The independent audit function regularly reviews the institution’s cyber

 

 

 

 

 

risk appetite statement in comparison to assessment results and

 

 

 

 

 

incorporates gaps into the audit strategy.

 

 

 

 

 

Independent audits or reviews are used to identify cybersecurity

 

 

 

 

 

weaknesses, root causes, and the potential impact to business units.

 

 

 

 

 

 

 

 

 

Innovative

 

A formal process is in place for the independent audit function to update

 

 

 

 

 

its procedures based on changes to the evolving threat landscape across

 

 

 

 

 

other sectors the institution depends upon.

 

 

 

 

 

The independent audit function uses sophisticated data mining tools to

 

 

 

 

 

perform continuous monitoring of cybersecurity processes or controls.

 

 

 

 

 

 

 

 

 

 

 

 

Assessment Factor: Resources

 

 

 

 

 

 

 

 

 

STAFFING

 

Baseline

 

Information security roles and responsibilities have been identified.

 

 

 

 

 

 

 

 

 

(FFIEC Information Security Booklet, page 7)

 

 

 

 

 

Processes are in place to identify additional expertise needed to improve

 

 

 

 

 

information security defenses. (FFIEC Information Security Work

 

 

 

 

 

Program, Objective I: 2-8)

 

 

 

 

 

 

 

 

 

 

Evolving

 

A formal process is used to identify cybersecurity tools and expertise that

 

 

 

 

 

may be needed.

 

 

 

 

 

 

Management with appropriate knowledge and experience leads the

 

 

 

 

 

institution's cybersecurity efforts.

 

 

 

 

 

 

Staff with cybersecurity responsibilities have the requisite qualifications to

 

 

 

 

 

perform the necessary tasks of the position.

 

 

 

 

 

Employment candidates, contractors, and third parties are subject to

 

 

 

 

 

background verification proportional to the confidentiality of the data

 

 

 

 

 

accessed, business requirements, and acceptable risk.

 

 

 

 

 

 

 

 

 

Intermediate

 

The institution has a program for talent recruitment, retention, and

 

 

 

 

 

succession planning for the cybersecurity and resilience staffs.

 

 

 

 

 

 

 

 

 

Advanced

 

The institution benchmarks its cybersecurity staffing against peers to

 

 

 

 

 

identify whether its recruitment, retention, and succession planning are

 

 

 

 

 

commensurate.

 

 

 

 

 

 

Dedicated cybersecurity staff develops, or contributes to developing,

 

 

 

 

 

integrated enterprise-level security and cyber defense strategies.

 

 

 

 

 

 

 

June 2015

27

FFIEC Cybersecurity Assessment Tool

Cybersecurity Maturity: Domain 1

 

 

TRAINING

 

Innovative

 

The institution actively partners with industry associations and academia

 

 

 

to inform curricula based on future cybersecurity staffing needs of the

 

 

 

industry.

 

 

 

Assessment Factor: Training and Culture

 

 

 

 

Baseline

 

Annual information security training is provided. (FFIEC Information

 

 

 

 

 

Security Booklet, page 66)

 

 

 

Annual information security training includes incident response, current

 

 

 

cyber threats (e.g., phishing, spear phishing, social engineering, and

 

 

 

mobile security), and emerging issues. (FFIEC Information Security

 

 

 

Booklet, page 66)

 

 

 

Situational awareness materials are made available to employees when

 

 

 

prompted by highly visible cyber events or by regulatory alerts. (FFIEC

 

 

 

Information Security Booklet, page 7)

 

 

 

Customer awareness materials are readily available (e.g., DHS’

 

 

 

Cybersecurity Awareness Month materials). (FFIEC E-Banking Work

 

 

 

Program, Objective 6-3)

 

 

 

 

 

Evolving

 

The institution has a program for continuing cybersecurity training and

 

 

 

skill development for cybersecurity staff.

 

 

 

Management is provided cybersecurity training relevant to their job

 

 

 

responsibilities.

 

 

 

Employees with privileged account permissions receive additional

 

 

 

cybersecurity training commensurate with their levels of responsibility.

 

 

 

Business units are provided cybersecurity training relevant to their

 

 

 

particular business risks.

 

 

 

The institution validates the effectiveness of training (e.g., social

 

 

 

engineering or phishing tests).

 

 

 

 

 

Intermediate

 

Management incorporates lessons learned from social engineering and

 

 

 

phishing exercises to improve the employee awareness programs.

 

 

 

Cybersecurity awareness information is provided to retail customers and

 

 

 

commercial clients at least annually.

 

 

 

Business units are provided cybersecurity training relevant to their

 

 

 

particular business risks, over and above what is required of the

 

 

 

institution as a whole.

 

 

 

The institution routinely updates its training to security staff to adapt to

 

 

 

new threats.

 

 

 

 

June 2015

28

FFIEC Cybersecurity Assessment Tool

Cybersecurity Maturity: Domain 1

 

 

CULTURE

Advanced

 

Independent directors are provided with cybersecurity training that

 

 

addresses how complex products, services, and lines of business affect

 

 

the institution's cyber risk.

 

 

 

Innovative

 

Key performance indicators are used to determine whether training and

 

 

awareness programs positively influence behavior.

Baseline

 

Management holds employees accountable for complying with the

 

 

information security program. (FFIEC Information Security Booklet, page

 

 

7)

 

 

 

Evolving

 

The institution has formal standards of conduct that hold all employees

 

 

accountable for complying with cybersecurity policies and procedures.

 

 

Cyber risks are actively discussed at business unit meetings.

 

 

Employees have a clear understanding of how to identify and escalate

 

 

potential cybersecurity issues.

 

 

 

Intermediate

 

Management ensures performance plans are tied to compliance with

 

 

cybersecurity policies and standards in order to hold employees

 

 

accountable.

 

 

The risk culture requires formal consideration of cyber risks in all

 

 

business decisions.

 

 

Cyber risk reporting is presented and discussed at the independent risk

 

 

management meetings.

 

 

 

Advanced

 

Management ensures continuous improvement of cyber risk cultural

 

 

awareness.

 

 

 

Innovative

 

The institution leads efforts to promote cybersecurity culture across the

 

 

sector and to other sectors that they depend upon.

 

 

 

June 2015

29

FFIEC Cybersecurity Assessment Tool

Cybersecurity Maturity: Domain 2

 

 

THREAT INTELLIGENCE AND INFORMATION

Domain 2: Threat Intelligence and Collaboration

 

 

Assessment Factor: Threat Intelligence

 

Y,N

 

 

 

 

 

 

Baseline

 

The institution belongs or subscribes to a threat and vulnerability

 

 

information sharing source(s) that provides information on threats (e.g.,

 

 

Financial Services Information Sharing and Analysis Center [FS-ISAC],

 

 

U.S. Computer Emergency Readiness Team [US-CERT]). (FFIEC E-

 

 

Banking Work Program, page 28)

 

 

Threat information is used to monitor threats and vulnerabilities. (FFIEC

 

 

Information Security Booklet, page 83)

 

 

Threat information is used to enhance internal risk management and

 

 

controls. (FFIEC Information Security Booklet, page 4)

 

 

 

Evolving

 

Threat information received by the institution includes analysis of tactics,

 

 

patterns, and risk mitigation recommendations.

 

 

 

Intermediate

 

A formal threat intelligence program is implemented and includes

 

 

subscription to threat feeds from external providers and internal sources.

 

 

Protocols are implemented for collecting information from industry peers

 

 

and government.

 

 

A read-only, central repository of cyber threat intelligence is maintained.

 

 

 

Advanced

 

A cyber intelligence model is used for gathering threat information.

 

 

Threat intelligence is automatically received from multiple sources in real

 

 

time.

 

 

The institution’s threat intelligence includes information related to

 

 

geopolitical events that could increase cybersecurity threat levels.

 

 

 

Innovative

 

A threat analysis system automatically correlates threat data to specific

 

 

risks and then takes risk-based automated actions while alerting

 

 

management.

 

 

The institution is investing in the development of new threat intelligence

 

 

and collaboration mechanisms (e.g., technologies, business processes)

 

 

that will transform how information is gathered and shared.

 

 

 

June 2015

30

FFIEC Cybersecurity Assessment Tool

Cybersecurity Maturity: Domain 2

 

 

MONITORING AND ANALYZING

 

 

Assessment Factor: Monitoring and Analyzing

 

Baseline

 

Audit log records and other security event logs are reviewed and retained

 

 

 

 

 

in a secure manner. (FFIEC Information Security Booklet, page 79)

 

 

 

Computer event logs are used for investigations once an event has

 

 

 

occurred. (FFIEC Information Security Booklet, page 83)

 

 

 

 

 

Evolving

 

A process is implemented to monitor threat information to discover

 

 

 

emerging threats.

 

 

 

The threat information and analysis process is assigned to a specific group

 

 

 

or individual.

 

 

 

Security processes and technology are centralized and coordinated in a

 

 

 

Security Operations Center (SOC) or equivalent.

 

 

 

Monitoring systems operate continuously with adequate support for

 

 

 

efficient incident handling.

 

 

 

 

 

Intermediate

 

A threat intelligence team is in place that evaluates threat intelligence from

 

 

 

multiple sources for credibility, relevance, and exposure.

 

 

 

A profile is created for each threat that identifies the likely intent, capability,

 

 

 

and target of the threat.

 

 

 

Threat information sources that address all components of the threat

 

 

 

profile are prioritized and monitored.

 

 

 

Threat intelligence is analyzed to develop cyber threat summaries

 

 

 

including risks to the institution and specific actions for the institution to

 

 

 

consider.

 

 

 

 

 

Advanced

 

A dedicated cyber threat identification and analysis committee or team

 

 

 

exists to centralize and coordinate initiatives and communications.

 

 

 

Formal processes have been defined to resolve potential conflicts in

 

 

 

information received from sharing and analysis centers or other sources.

 

 

 

Emerging internal and external threat intelligence and correlated log

 

 

 

analysis are used to predict future attacks.

 

 

 

Threat intelligence is viewed within the context of the institution's risk

 

 

 

profile and risk appetite to prioritize mitigating actions in anticipation of

 

 

 

threats.

 

 

 

Threat intelligence is used to update architecture and configuration

 

 

 

standards.

 

 

 

 

June 2015

31

FFIEC Cybersecurity Assessment Tool

Cybersecurity Maturity: Domain 2

 

 

Innovative

The institution uses multiple sources of intelligence, correlated log analysis, alerts, internal traffic flows, and geopolitical events to predict potential future attacks and attack trends.

Highest risk scenarios are used to predict threats against specific business targets.

IT systems automatically detect configuration weaknesses based on threat intelligence and alert management so actions can be prioritized.

INFORMATION SHARING

 

 

Assessment Factor: Information Sharing

 

 

 

Baseline

 

Information security threats are gathered and shared with applicable

 

 

internal employees. (FFIEC Information Security Booklet, page 83)

 

 

Contact information for law enforcement and the regulator(s) is maintained

 

 

and updated regularly. (FFIEC Business Continuity Planning Work

 

 

Program, Objective I: 5-1)

 

 

Information about threats is shared with law enforcement and regulators

 

 

when required or prompted. (FFIEC Information Security Booklet, page 84)

 

 

 

Evolving

 

A formal and secure process is in place to share threat and vulnerability

 

 

information with other entities.

 

 

A representative from the institution participates in law enforcement or

 

 

information-sharing organization meetings.

 

 

 

Intermediate

 

A formal protocol is in place for sharing threat, vulnerability, and incident

 

 

information to employees based on their specific job function.

 

 

Information-sharing agreements are used as needed or required to

 

 

facilitate sharing threat information with other financial sector organizations

 

 

or third parties.

 

 

Information is shared proactively with the industry, law enforcement,

 

 

regulators, and information-sharing forums.

 

 

A process is in place to communicate and collaborate with the public

 

 

sector regarding cyber threats.

 

 

 

Advanced

 

Management communicates threat intelligence with business risk context

 

 

and specific risk management recommendations to the business units.

 

 

Relationships exist with employees of peer institutions for sharing cyber

 

 

threat intelligence.

 

 

A network of trust relationships (formal and/or informal) has been

 

 

established to evaluate information about cyber threats.

 

 

 

June 2015

32

FFIEC Cybersecurity Assessment Tool

Cybersecurity Maturity: Domain 2

 

 

Innovative

A mechanism is in place for sharing cyber threat intelligence with business units in real time including the potential financial and operational impact of inaction.

A system automatically informs management of the level of business risk specific to the institution and the progress of recommended steps taken to mitigate the risks.

The institution is leading efforts to create new sector-wide information- sharing channels to address gaps in external-facing information-sharing mechanisms.

June 2015

33

FFIEC Cybersecurity Assessment Tool

Cybersecurity Maturity: Domain 3

 

 

INFRASTRUCTURE MANAGEMENT

 

Domain 3: Cybersecurity Controls

 

 

Assessment Factor: Preventative Controls

 

Y, N

 

 

 

Baseline

 

Network perimeter defense tools (e.g., border router and firewall) are

 

 

used. (FFIEC Information Security Booklet, page 33)

 

 

Systems that are accessed from the Internet or by external parties are

 

 

protected by firewalls or other similar devices. (FFIEC Information

 

 

Security Booklet, page 46)

 

 

All ports are monitored. (FFIEC Information Security Booklet, page 50)

 

 

Up to date antivirus and anti-malware tools are used. (FFIEC Information

 

 

Security Booklet, page 78)

 

 

Systems configurations (for servers, desktops, routers, etc.) follow

 

 

industry standards and are enforced. (FFIEC Information Security

 

 

Booklet, page 56)

 

 

Ports, functions, protocols and services are prohibited if no longer needed

 

 

for business purposes. (FFIEC Information Security Booklet, page 50)

 

 

Access to make changes to systems configurations (including virtual

 

 

machines and hypervisors) is controlled and monitored. (FFIEC

 

 

Information Security Booklet, page 56)

 

 

Programs that can override system, object, network, virtual machine, and

 

 

application controls are restricted. (FFIEC Information Security Booklet,

 

 

page 41)

 

 

System sessions are locked after a pre-defined period of inactivity and

 

 

are terminated after pre-defined conditions are met. (FFIEC Information

 

 

Security Booklet, page 23)

 

 

Wireless network environments require security settings with strong

 

 

encryption for authentication and transmission. (*N/A if there are no

 

 

wireless networks.) (FFIEC Information Security Booklet, page 40)

 

 

 

Evolving

 

There is a firewall at each Internet connection and between any

 

 

Demilitarized Zone (DMZ) and internal network(s).

 

 

Antivirus and intrusion detection/prevention systems (IDS/IPS) detect and

 

 

block actual and attempted attacks or intrusions.

 

 

Technical controls prevent unauthorized devices, including rogue wireless

 

 

access devices and removable media, from connecting to the internal

 

 

network(s).

 

 

A risk-based solution is in place at the institution or Internet hosting

June 2015

34

 

FFIEC Cybersecurity Assessment Tool

Cybersecurity Maturity: Domain 3

 

 

 

 

 

 

 

 

 

 

 

 

 

 

provider to mitigate disruptive cyber attacks (e.g., DDoS attacks).

 

 

 

 

Guest wireless networks are fully segregated from the internal network(s).

 

 

 

 

(*N/A if there are no wireless networks.)

 

 

 

 

Domain Name System Security Extensions (DNSSEC) is deployed

 

 

 

 

across the enterprise.

 

 

 

 

 

Critical systems supported by legacy technologies are regularly reviewed

 

 

 

 

to identify for potential vulnerabilities, upgrade opportunities, or new

 

 

 

 

defense layers.

 

 

 

 

 

Controls for unsupported systems are implemented and tested.

 

 

 

 

 

 

 

Intermediate

 

The enterprise network is segmented in multiple, separate trust/security

 

 

 

 

zones with defense-in-depth strategies (e.g., logical network

 

 

 

 

segmentation, hard backups, air-gapping) to mitigate attacks.

 

 

 

 

Security controls are used for remote access to all administrative

 

 

 

 

consoles, including restricted virtual systems.

 

 

 

 

Wireless network environments have perimeter firewalls that are

 

 

 

 

implemented and configured to restrict unauthorized traffic. (*N/A if there

 

 

 

 

are no wireless networks.)

 

 

 

 

 

Wireless networks use strong encryption with encryption keys that are

 

 

 

 

changed frequently. (*N/A if there are no wireless networks.)

 

 

 

 

The broadcast range of the wireless network(s) is confined to institution-

 

 

 

 

controlled boundaries. (*N/A if there are no wireless networks.)

 

 

 

 

Technical measures are in place to prevent the execution of unauthorized

 

 

 

 

code on institution owned or managed devices, network infrastructure,

 

 

 

 

and systems components.

 

 

 

 

 

 

 

 

Advanced

 

Network environments and virtual instances are designed and configured

 

 

 

 

to restrict and monitor traffic between trusted and untrusted zones.

 

 

 

 

Only one primary function is permitted per server to prevent functions that

 

 

 

 

require different security levels from co-existing on the same server.

 

 

 

 

Anti-spoofing measures are in place to detect and block forged source IP

 

 

 

 

addresses from entering the network.

 

 

 

 

 

 

 

 

Innovative

 

The institution risk scores all of its infrastructure assets and updates in

 

 

 

 

real time based on threats, vulnerabilities, or operational changes.

 

 

 

 

Automated controls are put in place based on risk scores to infrastructure

 

 

 

 

assets, including automatically disconnecting affected assets.

 

 

 

 

The institution proactively seeks to identify control gaps that may be used

 

 

 

 

as part of a zero-day attack.

 

 

 

 

 

 

 

June 2015

35

FFIEC Cybersecurity Assessment Tool

Cybersecurity Maturity: Domain 3

 

 

ACCESS AND DATA MANAGEMENT

Baseline

Public-facing servers are routinely rotated and restored to a known clean state to limit the window of time a system is exposed to potential threats.

Employee access is granted to systems and confidential data based on job responsibilities and the principles of least privilege. (FFIEC Information Security Booklet, page 19)

Employee access to systems and confidential data provides for separation of duties. (FFIEC Information Security Booklet, page 19)

Elevated privileges (e.g., administrator privileges) are limited and tightly controlled (e.g., assigned to individuals, not shared, and require stronger password controls). (FFIEC Information Security Booklet, page 19)

User access reviews are performed periodically for all systems and applications based on the risk to the application or system. (FFIEC Information Security Booklet, page 18)

Changes to physical and logical user access, including those that result from voluntary and involuntary terminations, are submitted to and approved by appropriate personnel. (FFIEC Information Security Booklet, page 18)

Identification and authentication are required and managed for access to systems, applications, and hardware. (FFIEC Information Security Booklet, page 21)

Access controls include password complexity and limits to password attempts and reuse. (FFIEC Information Security Booklet, page 66)

All default passwords and unnecessary default accounts are changed before system implementation. (FFIEC Information Security Booklet, page 61)

Customer access to Internet-based products or services requires authentication controls (e.g., layered controls, multifactor) that are commensurate with the risk. (FFIEC Information Security Booklet, page 21)

Production and non-production environments are segregated to prevent

unauthorized access or changes to information assets. (*N/A if no production environment exists at the institution or the institution’s third

party.) (FFIEC Information Security Booklet, page 64)

Physical security controls are used to prevent unauthorized access to information systems and telecommunication systems. (FFIEC Information Security Booklet, page 47)

All passwords are encrypted in storage and in transit. (FFIEC Information Security Booklet, page 21)

June 2015

36

FFIEC Cybersecurity Assessment Tool

Cybersecurity Maturity: Domain 3

 

 

 

 

 

Confidential data are encrypted when transmitted across public or

 

 

 

untrusted networks (e.g., Internet). (FFIEC Information Security Booklet,

 

 

 

page 51)

 

 

 

Mobile devices (e.g., laptops, tablets, and removable media) are

 

 

 

encrypted if used to store confidential data. (*N/A if mobile devices are

 

 

 

not used.) (FFIEC Information Security Booklet, page 51)

 

 

 

Remote access to critical systems by employees, contractors, and third

 

 

 

parties uses encrypted connections and multifactor authentication.

 

 

 

(FFIEC Information Security Booklet, page 45)

 

 

 

Administrative, physical, or technical controls are in place to prevent

 

 

 

users without administrative responsibilities from installing unauthorized

 

 

 

software. (FFIEC Information Security Booklet, page 25)

 

 

 

Customer service (e.g., the call center) utilizes formal procedures to

 

 

 

authenticate customers commensurate with the risk of the transaction or

 

 

 

request. (FFIEC Information Security Booklet, page 19)

 

 

 

Data is disposed of or destroyed according to documented requirements

 

 

 

and within expected time frames. (FFIEC Information Security Booklet,

 

 

 

page 66)

 

 

 

 

 

Evolving

 

Changes to user access permissions trigger automated notices to

 

 

 

appropriate personnel.

 

 

 

Administrators have two accounts: one for administrative use and one for

 

 

 

general purpose, non-administrative tasks.

 

 

 

Use of customer data in non-production environments complies with

 

 

 

legal, regulatory, and internal policy requirements for concealing or

 

 

 

removing of sensitive data elements.

 

 

 

Physical access to high-risk or confidential systems is restricted, logged,

 

 

 

and unauthorized access is blocked.

 

 

 

Controls are in place to prevent unauthorized access to cryptographic

 

 

 

keys.

 

 

 

 

June 2015

37

 

FFIEC Cybersecurity Assessment Tool

Cybersecurity Maturity: Domain 3

 

 

 

 

 

 

 

 

 

 

 

 

Intermediate

 

The institution has implemented tools to prevent unauthorized access to

 

 

 

 

or exfiltration of confidential data.

 

 

 

 

 

Controls are in place to prevent unauthorized escalation of user

 

 

 

 

privileges.

 

 

 

 

 

Access controls are in place for database administrators to prevent

 

 

 

 

unauthorized downloading or transmission of confidential data.

 

 

 

 

All physical and logical access is removed immediately upon notification

 

 

 

 

of involuntary termination and within 24 hours of an employee’s voluntary

 

 

 

 

departure.

 

 

 

 

 

Multifactor authentication and/or layered controls have been implemented

 

 

 

 

to secure all third-party access to the institution's network and/or systems

 

 

 

 

and applications.

 

 

 

 

 

Multifactor authentication (e.g., tokens, digital certificates) techniques are

 

 

 

 

used for employee access to high-risk systems as identified in the risk

 

 

 

 

assessment(s). (*N/A if no high risk systems.)

 

 

 

 

Confidential data are encrypted in transit across private connections (e.g.,

 

 

 

 

frame relay and T1) and within the institution’s trusted zones.

 

 

 

 

Controls are in place to prevent unauthorized access to collaborative

 

 

 

 

computing devices and applications (e.g., networked white boards,

 

 

 

 

cameras, microphones, online applications such as instant messaging

 

 

 

 

and document sharing). (* N/A if collaborative computing devices are not

 

 

 

 

used.)

 

 

 

 

 

 

 

 

Advanced

 

Encryption of select data at rest is determined by the institution’s data

 

 

 

 

classification and risk assessment.

 

 

 

 

 

Customer authentication for high-risk transactions includes methods to

 

 

 

 

prevent malware and man-in-the-middle attacks (e.g., using visual

 

 

 

 

transaction signing).

 

 

 

 

 

 

 

June 2015

38

FFIEC Cybersecurity Assessment Tool

Cybersecurity Maturity: Domain 3

 

 

DEVICE/END-POINT SECURITY

Innovative

 

Adaptive access controls de-provision or isolate an employee, third-party,

 

 

or customer credentials to minimize potential damage if malicious

 

 

behavior is suspected.

 

 

Unstructured confidential data are tracked and secured through an

 

 

identity-aware, cross-platform storage system that protects against

 

 

internal threats, monitors user access, and tracks changes.

 

 

Tokenization is used to substitute unique values for confidential

 

 

information (e.g., virtual credit card).

 

 

The institution is leading efforts to create new technologies and

 

 

processes for managing customer, employee, and third-party

 

 

authentication and access.

 

 

Real-time risk mitigation is taken based on automated risk scoring of user

 

 

credentials.

Baseline

 

Controls are in place to restrict the use of removable media to authorized

 

 

personnel. (FFIEC Information Security Work Program, Objective I: 4-1)

 

 

 

Evolving

 

Tools automatically block attempted access from unpatched employee

 

 

and third-party devices.

 

 

Tools automatically block attempted access by unregistered devices to

 

 

internal networks.

 

 

The institution has controls to prevent the unauthorized addition of new

 

 

connections.

 

 

Controls are in place to prevent unauthorized individuals from copying

 

 

confidential data to removable media.

 

 

Antivirus and anti-malware tools are deployed on end-point devices (e.g.,

 

 

workstations, laptops, and mobile devices).

 

 

Mobile devices with access to the institution’s data are centrally managed

 

 

for antivirus and patch deployment. (*N/A if mobile devices are not used.)

 

 

The institution wipes data remotely on mobile devices when a device is

 

 

missing or stolen. (*N/A if mobile devices are not used.)

 

 

 

Intermediate

 

Data loss prevention controls or devices are implemented for inbound and

 

 

outbound communications (e.g., e-mail, FTP, Telnet, prevention of large

 

 

file transfers).

 

 

Mobile device management includes integrity scanning (e.g.,

 

 

jailbreak/rooted detection). (*N/A if mobile devices are not used.)

 

 

Mobile devices connecting to the corporate network for storing and

 

 

accessing company information allow for remote software version/patch

 

 

validation. (*N/A if mobile devices are not used.)

 

 

 

June 2015

39

 

 

 

FFIEC Cybersecurity Assessment Tool

Cybersecurity Maturity: Domain 3

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Advanced

 

Employees’ and third parties’ devices (including mobile) without the latest

 

 

 

 

 

 

security patches are quarantined and patched before the device is

 

 

 

 

 

 

granted access to the network.

 

 

 

 

 

 

 

Confidential data and applications on mobile devices are only accessible

 

 

 

 

 

 

via a secure, isolated sandbox or a secure container.

 

 

 

 

 

 

 

 

 

 

 

Innovative

 

A centralized end-point management tool provides fully integrated patch,

 

 

 

 

 

 

configuration, and vulnerability management, while also being able to

 

 

 

 

 

 

detect malware upon arrival to prevent an exploit.

 

 

 

 

 

 

 

 

 

 

CODING

 

Baseline

 

Developers working for the institution follow secure program coding

 

 

 

 

 

 

 

 

 

 

 

practices, as part of a system development life cycle (SDLC), that meet

 

 

SECURE

 

 

 

industry standards. (FFIEC Information Security Booklet, page 56)

 

 

 

 

 

The security controls of internally developed software are periodically

 

 

 

 

 

 

 

 

 

 

 

 

reviewed and tested. (*N/A if there is no software development.) (FFIEC

 

 

 

 

 

 

Information Security Booklet, page 59)

 

 

 

 

 

 

 

The security controls in internally developed software code are

 

 

 

 

 

 

independently reviewed before migrating the code to production. (*N/A if

 

 

 

 

 

 

there is no software development.) (FFIEC Development and Acquisition

 

 

 

 

 

 

Booklet, page 2)

 

 

 

 

 

 

 

Intellectual property and production code are held in escrow. (*N/A if

 

 

 

 

 

 

there is no production code to hold in escrow.) (FFIEC Development and

 

 

 

 

 

 

Acquisition Booklet, page 39)

 

 

 

 

 

 

 

 

 

 

 

 

Evolving

 

Security testing occurs at all post-design phases of the SDLC for all

 

 

 

 

 

 

applications, including mobile applications. (*N/A if there is no software

 

 

 

 

 

 

development.)

 

 

 

 

 

 

 

 

 

 

 

 

Intermediate

 

Processes are in place to mitigate vulnerabilities identified as part of the

 

 

 

 

 

 

secure development of systems and applications.

 

 

 

 

 

 

The security of applications, including Web-based applications connected

 

 

 

 

 

 

to the Internet, is tested against known types of cyber attacks (e.g., SQL

 

 

 

 

 

 

injection, cross-site scripting, buffer overflow) before implementation or

 

 

 

 

 

 

following significant changes.

 

 

 

 

 

 

 

Software code executables and scripts are digitally signed to confirm the

 

 

 

 

 

 

software author and guarantee that the code has not been altered or

 

 

 

 

 

 

corrupted.

 

 

 

 

 

 

 

A risk-based, independent information assurance function evaluates the

 

 

 

 

 

 

security of internal applications.

 

 

 

 

 

 

 

 

 

 

 

 

Advanced

 

Vulnerabilities identified through a static code analysis are remediated

 

 

 

 

 

 

before implementing newly developed or changed applications into

 

 

 

 

 

 

production.

 

 

 

 

 

 

 

All interdependencies between applications and services have been

June 2015

40

FFIEC Cybersecurity Assessment Tool

Cybersecurity Maturity: Domain 3

 

 

THREAT AND VULNERABILITY DETECTION

 

 

 

identified.

 

 

 

Independent code reviews are completed on internally developed or

 

 

 

vendor-provided custom applications to ensure there are no security

 

 

 

gaps.

 

 

 

 

 

Innovative

 

Software code is actively scanned by automated tools in the development

 

 

 

environment so that security weaknesses can be resolved immediately

 

 

 

during the design phase.

 

 

 

Assessment Factor: Detective Controls

 

 

 

 

Baseline

 

Independent testing (including penetration testing and vulnerability

 

 

 

 

 

scanning) is conducted according to the risk assessment for external-

 

 

 

facing systems and the internal network. (FFIEC Information Security

 

 

 

Booklet, page 61)

 

 

 

Antivirus and anti-malware tools are used to detect attacks. (FFIEC

 

 

 

Information Security Booklet, page 55)

 

 

 

Firewall rules are audited or verified at least quarterly. (FFIEC Information

 

 

 

Security Booklet, page 82)

 

 

 

E-mail protection mechanisms are used to filter for common cyber threats

 

 

 

(e.g., attached malware or malicious links). (FFIEC Information Security

 

 

 

Booklet, page 39)

 

 

 

 

 

Evolving

 

Independent penetration testing of network boundary and critical Web-

 

 

 

facing applications is performed routinely to identify security control gaps.

 

 

 

Independent penetration testing is performed on Internet-facing

 

 

 

applications or systems before they are launched or undergo significant

 

 

 

change.

 

 

 

Antivirus and anti-malware tools are updated automatically.

 

 

 

Firewall rules are updated routinely.

 

 

 

Vulnerability scanning is conducted and analyzed before

 

 

 

deployment/redeployment of new/existing devices.

 

 

 

Processes are in place to monitor potential insider activity that could lead

 

 

 

to data theft or destruction.

 

 

 

 

 

Intermediate

 

Audit or risk management resources review the penetration testing scope

 

 

 

and results to help determine the need for rotating companies based on

 

 

 

the quality of the work.

 

 

 

E-mails and attachments are automatically scanned to detect malware

 

 

 

and are blocked when malware is present.

 

 

 

 

June 2015

41

 

 

 

FFIEC Cybersecurity Assessment Tool

Cybersecurity Maturity: Domain 3

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Advanced

 

Weekly vulnerability scanning is rotated among environments to scan all

 

 

 

 

 

 

environments throughout the year.

 

 

 

 

 

 

 

Penetration tests include cyber attack simulations and/or real-world

 

 

 

 

 

 

tactics and techniques such as red team testing to detect control gaps in

 

 

 

 

 

 

employee behavior, security defenses, policies, and resources.

 

 

 

 

 

 

Automated tool(s) proactively identifies high-risk behavior signaling an

 

 

 

 

 

 

employee who may pose an insider threat.

 

 

 

 

 

 

 

 

 

 

 

Innovative

 

User tasks and content (e.g., opening an e-mail attachment) are

 

 

 

 

 

 

automatically isolated in a secure container or virtual environment so that

 

 

 

 

 

 

malware can be analyzed but cannot access vital data, end-point

 

 

 

 

 

 

operating systems, or applications on the institution’s network.

 

 

 

 

 

 

Vulnerability scanning is performed on a weekly basis across all

 

 

 

 

 

 

environments.

 

 

 

 

 

 

 

 

 

 

DETECTION

 

 

 

and reviewed. (FFIEC Wholesale Payments Booklet, page 12)

 

 

 

 

Baseline

 

The institution is able to detect anomalous activities through monitoring

 

 

 

 

 

 

across the environment. (FFIEC Information Security Booklet, page 32)

 

 

ACTIVITY

 

 

 

Customer transactions generating anomalous activity alerts are monitored

 

 

 

 

 

Logs of physical and/or logical access are reviewed following events.

 

 

 

 

 

 

 

 

ANOMALOUS

 

 

 

(FFIEC Information Security Booklet, page 73)

 

 

 

 

 

Access to critical systems by third parties is monitored for unauthorized or

 

 

 

 

 

 

 

 

 

 

 

 

unusual activity. (FFIEC Outsourcing Booklet, page 26)

 

 

 

 

 

 

Elevated privileges are monitored. (FFIEC Information Security Booklet,

 

 

 

 

 

 

page 19)

 

 

 

 

 

 

 

 

 

 

 

 

Evolving

 

Systems are in place to detect anomalous behavior automatically during

 

 

 

 

 

 

customer, employee, and third-party authentication.

 

 

 

 

 

 

Security logs are reviewed regularly.

 

 

 

 

 

 

 

Logs provide traceability for all system access by individual users.

 

 

 

 

 

 

Thresholds have been established to determine activity within logs that

 

 

 

 

 

 

would warrant management response.

 

 

 

 

 

 

 

 

 

June 2015

42

 

FFIEC Cybersecurity Assessment Tool

Cybersecurity Maturity: Domain 3

 

 

 

 

 

 

 

 

 

Intermediate

Online customer transactions are actively monitored for anomalous

 

 

behavior.

 

 

 

 

Tools to detect unauthorized data mining are used.

 

 

Tools actively monitor security logs for anomalous behavior and alert

 

 

within established parameters.

 

 

 

 

Audit logs are backed up to a centralized log server or media that is

 

 

difficult to alter.

 

 

 

 

Thresholds for security logging are evaluated periodically.

 

 

Anomalous activity and other network and system alerts are correlated

 

 

across business units to detect and prevent multifaceted attacks (e.g.,

 

 

simultaneous account takeover and DDoS attack).

 

 

 

 

Advanced

An automated tool triggers system and/or fraud alerts when customer

 

 

logins occur within a short period of time but from physically distant IP

 

 

locations.

 

 

External transfers from customer accounts generate alerts and require

 

 

review and authorization if anomalous behavior is detected.

 

 

A system is in place to monitor and analyze employee behavior (network

 

 

use patterns, work hours, and known devices) to alert on anomalous

 

 

activities.

 

 

An automated tool(s) is in place to detect and prevent data mining by

 

 

insider threats.

 

 

Tags on fictitious confidential data or files are used to provide advanced

 

 

alerts of potential malicious activity when the data is accessed.

 

 

 

 

Innovative

The institution has a mechanism for real-time automated risk scoring of

 

 

threats.

 

 

The institution is developing new technologies that will detect potential

 

 

insider threats and block activity in real time.

 

 

 

June 2015

43

FFIEC Cybersecurity Assessment Tool

Cybersecurity Maturity: Domain 3

 

 

EVENT DETECTION

Baseline

 

A normal network activity baseline is established. (FFIEC Information

 

 

Security Booklet, page 77)

 

 

Mechanisms (e.g., antivirus alerts, log event alerts) are in place to alert

 

 

management to potential attacks. (FFIEC Information Security Booklet,

 

 

page 78)

 

 

Processes are in place to monitor for the presence of unauthorized users,

 

 

devices, connections, and software. (FFIEC Information Security Work

 

 

Program, Objective II: M-9)

 

 

Responsibilities for monitoring and reporting suspicious systems activity

 

 

have been assigned. (FFIEC Information Security Booklet, page 83)

 

 

The physical environment is monitored to detect potential unauthorized

 

 

access. (FFIEC Information Security Booklet, page 47)

 

 

 

Evolving

 

A process is in place to correlate event information from multiple sources

 

 

(e.g., network, application, or firewall).

 

 

 

Intermediate

 

Controls or tools (e.g., data loss prevention) are in place to detect

 

 

potential unauthorized or unintentional transmissions of confidential data.

 

 

Event detection processes are proven reliable.

 

 

Specialized security monitoring is used for critical assets throughout the

 

 

infrastructure.

 

 

 

Advanced

 

Automated tools detect unauthorized changes to critical system files,

 

 

firewalls, IPS, IDS, or other security devices.

 

 

Real-time network monitoring and detection is implemented and

 

 

incorporates sector-wide event information.

 

 

Real-time alerts are automatically sent when unauthorized software,

 

 

hardware, or changes occur.

 

 

Tools are in place to actively correlate event information from multiple

 

 

sources and send alerts based on established parameters.

 

 

 

Innovative

 

The institution is leading efforts to develop event detection systems that

 

 

will correlate in real time when events are about to occur.

 

 

The institution is leading the development effort to design new

 

 

technologies that will detect potential insider threats and block activity in

 

 

real time.

 

 

 

June 2015

44

FFIEC Cybersecurity Assessment Tool

Cybersecurity Maturity: Domain 3

 

 

PATCH MANAGEMENT

 

 

Assessment Factor: Corrective Controls

Baseline

 

A patch management program is implemented and ensures that software

 

 

 

and firmware patches are applied in a timely manner. (FFIEC Information

 

 

Security Booklet, page 62)

 

 

Patches are tested before being applied to systems and/or software.

 

 

(FFIEC Operations Booklet, page 22)

 

 

Patch management reports are reviewed and reflect missing security

 

 

patches. (FFIEC Development and Acquisition Booklet, page 50)

 

 

 

Evolving

 

A formal process is in place to acquire, test, and deploy software patches

 

 

based on criticality.

 

 

Systems are configured to retrieve patches automatically.

 

 

Operational impact is evaluated before deploying security patches.

 

 

An automated tool(s) is used to identify missing security patches as well

 

 

as the number of days since each patch became available.

 

 

Missing patches across all environments are prioritized and tracked.

 

 

 

Intermediate

 

Patches for high-risk vulnerabilities are tested and applied when released

 

 

or the risk is accepted and accountability assigned.

 

 

 

Advanced

 

Patch monitoring software is installed on all servers to identify any

 

 

missing patches for the operating system software, middleware,

 

 

database, and other key software.

 

 

The institution monitors patch management reports to ensure security

 

 

patches are tested and implemented within aggressive time frames (e.g.,

 

 

0-30 days).

 

 

 

Innovative

 

The institution develops security patches or bug fixes or contributes to

 

 

open source code development for systems it uses.

 

 

Segregated or separate systems are in place that mirror production

 

 

systems allowing for rapid testing and implementation of patches and

 

 

provide for rapid fallback when needed.

 

 

 

June 2015

45

FFIEC Cybersecurity Assessment Tool

Cybersecurity Maturity: Domain 3

 

 

REMEDIATION

Baseline

 

Issues identified in assessments are prioritized and resolved based on

 

 

criticality and within the time frames established in the response to the

 

 

assessment report. (FFIEC Information Security Booklet, page 87)

 

 

 

Evolving

 

Data is destroyed or wiped on hardware and portable/mobile media when

 

 

a device is missing, stolen, or no longer needed.

 

 

Formal processes are in place to resolve weaknesses identified during

 

 

penetration testing.

 

 

 

Intermediate

 

Remediation efforts are confirmed by conducting a follow-up vulnerability

 

 

scan.

 

 

Penetration testing is repeated to confirm that medium- and high-risk,

 

 

exploitable vulnerabilities have been resolved.

 

 

Security investigations, forensic analysis, and remediation are performed

 

 

by qualified staff or third parties.

 

 

Generally accepted and appropriate forensic procedures, including chain

 

 

of custody, are used to gather and present evidence to support potential

 

 

legal action.

 

 

The maintenance and repair of organizational assets are performed by

 

 

authorized individuals with approved and controlled tools.

 

 

The maintenance and repair of organizational assets are logged in a

 

 

timely manner.

 

 

 

Advanced

 

All medium and high risk issues identified in penetration testing,

 

 

vulnerability scanning, and other independent testing are escalated to the

 

 

board or an appropriate board committee for risk acceptance if not

 

 

resolved in a timely manner.

 

 

 

Innovative

 

The institution is developing technologies that will remediate systems

 

 

damaged by zero-day attacks to maintain current recovery time

 

 

objectives.

 

 

 

June 2015

46

FFIEC Cybersecurity Assessment Tool

Cybersecurity Maturity: Domain 4

 

 

CONNECTIONS

 

Domain 4: External Dependency Management

 

 

 

Assessment Factor: Connections

 

 

Y, N

 

 

 

 

Baseline

 

 

The critical business processes that are dependent on external

 

 

 

connectivity have been identified. (FFIEC Information Security Booklet,

 

 

 

page 9)

 

 

 

The institution ensures that third-party connections are authorized.

 

 

 

(FFIEC Information Security Booklet, page 17)

 

 

 

A network diagram is in place and identifies all external connections.

 

 

 

(FFIEC Information Security Booklet, page 9)

 

 

 

Data flow diagrams are in place and document information flow to

 

 

 

external parties. (FFIEC Information Security Booklet, page 10)

 

 

 

 

Evolving

 

 

Critical business processes have been mapped to the supporting

 

 

 

external connections.

 

 

 

The network diagram is updated when connections with third parties

 

 

 

change or at least annually.

 

 

 

Network and systems diagrams are stored in a secure manner with

 

 

 

proper restrictions on access.

 

 

 

Controls for primary and backup third-party connections are monitored

 

 

 

and tested on a regular basis.

 

 

 

 

Intermediate

 

 

A validated asset inventory is used to create comprehensive diagrams

 

 

 

depicting data repositories, data flow, infrastructure, and connectivity.

 

 

 

Security controls are designed and verified to detect and prevent

 

 

 

intrusions from third-party connections.

 

 

 

Monitoring controls cover all external connections (e.g., third-party

 

 

 

service providers, business partners, customers).

 

 

 

Monitoring controls cover all internal network-to-network connections.

 

 

 

 

Advanced

 

 

The security architecture is validated and documented before network

 

 

 

connection infrastructure changes.

 

 

 

The institution works closely with third-party service providers to

 

 

 

maintain and improve the security of external connections.

 

 

 

 

June 2015

47

FFIEC Cybersecurity Assessment Tool

Cybersecurity Maturity: Domain 4

 

 

Innovative

Diagram(s) of external connections is interactive, shows real-time changes to the network connection infrastructure, new connections, and volume fluctuations, and alerts when risks arise.

The institution's connections can be segmented or severed instantaneously to prevent contagion from cyber attacks.

DUE DILIGENCE

 

 

Assessment Factor: Relationship Management

 

Baseline

 

Risk-based due diligence is performed on prospective third parties

 

 

 

 

 

before contracts are signed, including reviews of their background,

 

 

 

reputation, financial condition, stability, and security controls. (FFIEC

 

 

 

Information Security Booklet, page 69)

 

 

 

A list of third-party service providers is maintained. (FFIEC Outsourcing

 

 

 

Booklet, page 19)

 

 

 

A risk assessment is conducted to identify criticality of service

 

 

 

providers. (FFIEC Outsourcing Booklet, page 6)

 

 

 

 

 

Evolving

 

A formal process exists to analyze assessments of third-party

 

 

 

cybersecurity controls.

 

 

 

The board or an appropriate board committee reviews a summary of

 

 

 

due diligence results including management’s recommendations to use

 

 

 

third parties that will affect the institution’s inherent risk profile.

 

 

 

 

 

Intermediate

 

A process is in place to confirm that the institution’s third-party service

 

 

 

providers conduct due diligence of their third parties (e.g.,

 

 

 

subcontractors).

 

 

 

Pre-contract, physical site visits of high-risk vendors are conducted by

 

 

 

the institution or by a qualified third party.