FFIEC Cybersecurity Assessment Tool: Frequently Asked Questions
What is the FFIEC Cybersecurity Assessment Tool?
In response to the current cybersecurity landscape, the Federal Financial Institutions Examination Council (FFIEC) has developed the Cybersecurity Assessment Tool (Assessment). The goal of the Assessment is to allow organizations within the financial industry to assess their cybersecurity risk and determine how to improve the security of their organization. The Assessment provides businesses with a repeatable and measurable process to improve cybersecurity preparedness over time.
The Assessment uses principles derived from the FFIEC Information Technology (IT) Examination Handbook, as well as concepts from the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework. Additionally, the Assessment is consistent with industry-accepted cybersecurity practices.
What does the Assessment consist of?
This two-part assessment includes an inherent risk profile and cybersecurity maturity evaluation. Once both parts are completed, management can allocate resources to improve information security based on risk and maturity.
Inherent Risk Profile
The inherent risk profile is used to identify where an organization’s risks lie. Inherent risk profiling includes the following categories:
- Technologies and Connection Type: Specific types of connections and technologies may pose a higher risk to your organization depending on the complexity and maturity, connections, and nature of the specific technologies.
- Delivery Channels: Inherent risk increases based on the variety and number of delivery channels. This category addresses whether products and services have availability through online and mobile channels and adjusts risk accordingly.
- Online/Mobile Products and Technology Services: Services and products such as debit and credit cards, person-to-person payments, originating automated clearing house (ACH), and retail wire transfers increase organizational risk.
- Organizational Characteristics: Risk increases depending on specific organizational characteristics such as the number of users with privileged access, locations of business presence, and changes in the IT environment.
- External Threats: External threats categorizes the number of attempted cyber-attacks on an organization.
For each control, an organization’s risk levels can rank from least inherent risk to most inherent risk.
Once each category is risk ranked, an organization can determine their overall inherent risk profile based on the number of applicable statements in each risk level for all controls. Inherent risk levels are detailed as follows:
- Least Inherent Risk: This organization has: very limited use of technology; limited products and services; a small geographic footprint; few employees.
- Minimal Inherent Risk: This organization has: limited technology in use and uses established technologies; less risky products and services; mission-critical systems outsourced; few types of connections to customers and third-parties.
- Moderate Inherent Risk: This organization has: somewhat complex technology; mission-critical systems outsourced; a greater variety of products and services offered through diverse channels.
- Significant Inherent Risk: This organization has: complex technology; high-risk product and service offering; internal hosting of a significant number of applications; many personal devices or a large variety of device types; substantial connections to customers and third parties; a variety of payment services offered directly; significant transaction volume.
- Most Inherent Risk: This organization has: complex technologies to deliver a variety of products and services; many products and services that are at the highest level of risk; new and emerging technologies in use across many delivery channels; outsources some mission-critical systems or applications, but many are hosted internally; many connection types to customers and third parties.
You can find the inherent risk profile guidance here.
Once an organization has determined its inherent risk profile, the organization determines its cybersecurity maturity. Cybersecurity maturity evaluates five domains:
- Cyber Risk Management and Oversight: Addresses management oversight, as well as the development and implementation of a cybersecurity program.
- Threat Intelligence and Collaboration: Includes the processes in place to help an organization discover, analyze, and understand cyber threats, as well as the capability to share these cyber threats with the appropriate parties.
- Cybersecurity Controls: Consists of the practices and processes that are used by your organizations to protect assets, infrastructure, and information.
- External Dependency Management: The establishment and maintenance of a program to oversee and manage third-parties with access to the institution’s technology assets and information.
- Cyber Incident Management and Resilience: The establishment, identification, and analysis of cyber events through event prioritization and communication with appropriate stakeholders.
For each control, an organization is ranked from baseline to innovative.
You can find the cybersecurity maturity assessment guidance here.
Once an organization determines both cybersecurity maturity and inherent risk, management can allocate resources to improve their risk profile and maturity scores.
An organization’s maturity level needs to match the organization’s inherent risk, as seen in the highlighted portion of the table below.
How does the Assessment help my organization?
By using the Assessment, management will be able to improve the oversight of their organization’s cybersecurity efforts by:
- Identifying the factors that contribute to an organization’s overall cyber risk
- Assessing cybersecurity preparedness
- Evaluating if cybersecurity preparedness is aligned with inherent risks
- Determinizing risk management practices and controls that are needed to achieve cybersecurity preparedness
- Informing risk management strategies
How can A-LIGN help with the FFIEC Cybersecurity Assessment Tool?
Save your organization time and resources by having A-LIGN conduct the Assessment for your organization. With our process, A-LIGN can determine your organization’s inherent risk and cybersecurity maturity level. Upon completion of the assessment activities, A-LIGN will issue a report which will include a listing of the controls assessed, identification of gaps identified during the assessment, and our recommendations to remediate identified gaps.
Our experienced assessors can evaluate risk and controls to guide your assessment and establish a roadmap to improve your organization’s risk management and cybersecurity strategies.